Phishing

Escaping the phishing net

Phishing continues to be one of the rapidly growing classes of identity theft scams on the Internet. It can be curbed with a blend of technology, policy guidelines and user awareness, writes Nivedan Prakash

Phishing has become a serious problem in India. Leading banks, or rather their depositors, have been targeted over the past year and the biggest challenge faced is the lack of awareness that Indian Net banking users have about such fraudulent practices. This lets phishers lay their traps and scam ignorant Net banking users. With the success rate being high, phishing attacks have multiplied and become more refined.

These attacks are sophisticated and are not limited to obtaining user account details, but also include access to all personal and financial data. Initially recipients were prompted to reply to e-mails for password and credit card details, and recent attacks have involved fake Web sites, the installation of Trojan-horse key-loggers, screen capture programs, and man-in-the-middle data proxies all of which have been delivered through that most ubiquitous of applications—e-mail.

Symantec observed 87,963 phishing Web site hosts during the second half of 2007. This was an increase of 167% from the first half of 2007, when the company detected 32,939 phishing Web site hosts. Between the second half of 2006, when 13,353 phishing Web site hosts were detected, and the second half of 2007, Symantec observed a dramatic increase of 559% in phishing Web site hosts.

According to the Gartner Group, victims of phishing attacks are three times more likely to suffer some form of identity theft than the general population. Meanwhile, attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical measures. However, despite advanced filtering, better law enforcement, greater efforts at user education, and other measures, reports of phishing have not declined.

Mitigating the threat posed by phishing requires a layered approach to Internet and communications security. Employing a combination of solutions-based, policy-based and behavioral-based controls can drastically reduce organizational vulnerabilities. As security is a never-ending race against threats, it is important to analyze existing security infrastructure on a regular basis. However, threats are dynamic and evolutionary. The minute one is dealt with, another emerges to take its place.

Current scenario

It is known fact that India, along with other developing nations, is being targeted by the practitioners of phishing. Unsuspecting users have fallen prey to phishers due to the adoption of new social engineering approaches being adopted by them.

Nowadays, users are asked to fill out survey forms for a particular financial institution and promised a reward such as a holiday with a resort, which will require the victims to fill out personal information. Once this information is given away, the phishers have a field day. Some phishing mails lure users with a handsome lottery prize and to claim it the user needs to provide a personal account number for funds transfer. Instead of money flowing in your account, it flows out.

Commenting on the current trends in phishing, Akshay Garkel, Senior Consultant, Professional Services, Datacraft Asia, said, “As per CERT-IN, a total of 392 phishing incidents were reported by various national and international agencies during 2007. The threat has taken an upward toll in terms of the number of incidents reported in the year 2008. 27% of the attacks reported to CERT-IN have been phishing attacks.”

Phishing trends are in the form of online identity theft using both social engineering and technical tricks to steal personal identity and financial account credentials. For example, technical tricks are used to plant crimeware onto PCs to steal credentials directly, often using key-logging systems to intercept consumers’ online account user names and passwords, and to corrupt local and remote navigational infrastructures to misdirect consumers to fake Web sites and away from the real Web sites.

Samuel Sathyajith, Country Manager-India and SAARC, Arbor Networks, said, “The techniques used for phishing have changed little but their distribution and sophistication in deployment have changed greatly. Phishers are using botnets as a primary method of distribution as well as to host collection Web sites. The use of botnets allows phishing sites to constantly move which makes them more difficult to trace.”

“Online fraud is evolving. Phishing and pharming represent one of the most sophisticated, organized and innovative technological crime waves faced by online businesses. Fraudsters have new tools at their disposal; and are able to adapt more rapidly than ever,” added Amuleek Bijral, Country Manager, India and SAARC, RSA.

Symantec has observed many phishing trends during the second half of 2007, the majority of brands targeted by phishing attacks were in the financial services sector, accounting for 80% of the total. The financial services sector also accounted for the highest volume of phishing Web sites during this period, at 66%, down slightly from 72% in the first half of 2007. Since most phishing activity pursues financial gain, successful attacks using brands in this sector are likely to yield profitable data, such as bank account credentials, making this sector an obvious focus for attacks.

Surendra Singh, Regional Director, India and SAARC, Websense, pointed out, “Phishing is becoming more sophisticated in the sense that it capitalizes on various high profile events/places/people to lure users into clicking a link or visiting a malicious Web site. For example, take the China earthquake donation phishing attack, where Websense Security Labs discovered phishing attacks that targeted donors to victims of the recent earthquake in China. The phishing site posed as a representative of the Red Cross and provided multiple bank account numbers for donors to wire their donations to.”

Mahesh Gupta, Business Development Manager, Network Security, Cisco, said, “The trends are more towards targeting some brands with the financial gain intent. These days the phishing sites are posted on a shared domain and their lifetime which earlier was 6-7 days now has shrunk to a couple of days.”

Other trends

Phishing attacks have crossed the boundaries of e-mail and have targeted an easier option—the telephone. As users have realized the ill effects of phishing, they have taken precautions to safeguard themselves. This is the reason why phishers have opted for phone phishing, as after the Internet, it is the second largest mode of communication.

Phone phishing is a way where a user can call a number and give away vital information such as credit card numbers. For example, due to irregularities on a credit card account, you may receive a voice mail asking you to call your bank at the telephone number mentioned in the voice message. On calling, if you follow the prompts on the IVR you will end up giving your credit card number ostensibly for verification. Once you do that, your number has been captured and is ripe for misuse. Even phone banking is no longer secure thanks to scams like these.

The technique to protect yourself from phone phishing is the same as one would use online—keep confidential information secret. The best advice, short of not responding at all, is to simply say that you are not interested and to hang up. You can then independently contact (by using the printed number from your statement) your bank to see if the information is needed for a legitimate reason.

Voice over IP is rapidly becoming standard for many enterprises as well as home users. This has made the automation of soliciting homes for fraud purposes such as phone phishing, or Vishing, quite a bit more simple. This trend is a challenge to traditional systems that look for Web-based phishing threats. Vishing is really a new and separate type of threat and is targeting an area (VoIP) that traditional security tools do not address.

Vishing basically uses social engineering techniques and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of voice and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP allows for caller ID spoofing, inexpensive, complex automated systems and anonymity for the bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Chudasama pointed out, “Malicious hackers are turning to Net phone systems in a bid to trick people into handing over personal details. Security firms have identified several scams in which Net phone systems are harnessed to try to catch out potential victims by convincing people to hand over useful details such as credit card numbers, bank account details or personal information. The scam has been dubbed ‘Vishing’ because, like phishing, its practitioners pose as banks and other financial institutions but use Voice over IP (VoIP) technology.”

The industry experts are also pointing towards another trend, called ‘Spear phishing’, which is a technique whereby e-mails that appear genuine are sent to all the employees or members within a certain company, government agency, organization, or group. Much like a standard phishing e-mail, the message might look like it comes from an employer, or from a colleague who might send an e-mail message to everyone in the company, in an attempt to gain login information. Spear phishing scams work to gain access to a company’s entire computer system.

Extent of damage

The financial impact/damage that phishing attack can do to financial institutions and e-commerce sites can amount to millions of dollars. A phishing attack hurts consumers as well as businesses. Data theft threats against businesses cause hundreds of millions of dollars in monetary damage, and they hurt customer confidence to boot. Brand damage can also cause businesses to hide data theft attacks making it hard to quantify the true impact of this phenomenon.

Digvijaysinh Chudasama, VP-Sales, Cyberoam India, commented, “Indirect losses are much higher, including customer service expenses, account replacement costs, and higher expenses due to decreased use of online services in the face of widespread fears about the security of online financial transactions. Phishing also causes substantial hardship for victimized consumers, due to the difficulty of repairing credit damaged by fraudulent activity. They can curb phishing attacks by educating users about safe Internet usage and awareness programs on possible phishing attacks and how to be safe on the Internet.”

The impact of a phishing attack on any financial institutions and e-commerce site can vary depending on the intensity/impact of the attack. The impact can be—direct financial loss to the organization; threat to integrity by actually having the clients shying away from the site (Internet banking or e-commerce site); easy incentive for cross border crimes; tracing the attacker back can be difficult and next-to-impossible to prove to the cyber law cell or in a court of law. This may also lead to difficulty in claiming insurance due to data theft.

Ambarish Deshpande, Regional Director, India and SAARC, IronPort Systems, stated, “Ultimately, phishing reduces the target audience’s willingness to enter financial data into [the online portals] of commercial entities. There is less willingness to transact online, and the online transaction model is most profitable for business.”

Damage caused by phishing ranges from denial of access to substantial financial loss. This style of identity theft is becoming more popular, because of the readiness with which unsuspecting people often divulge personal information to the phisher, including credit card and social security numbers. There are also fears that identity thieves can add such information to the knowledge they gain simply by accessing public records. Once this information is acquired, the phisher may use a person’s details to create fake accounts in a victim’s name. They can then ruin the victims’ credit or even deny victims access to their own accounts.

Deepak Thakur, Senior Research Analyst, ICT Practice, Frost & Sullivan, South Asia and Middle East, pointed out, “Online banking, online shopping, e-commerce or any e-transaction comes under direct threat of phishing. An individual would not be aware if he has lost money till he checks his account and the loss could be huge. This severely affects the trust factor of the user over the online service provided by the institution for convenience. This experience spreads mistrust on such services directly hampering the business of financial institutions and e-commerce.”

Adding to it, Prabhat Kumar Singh, Director–Symantec Response Lab, explained, “Banks are one of the sensitive organizations that are watched closely by hackers. Phishing in banking organization has helped hackers gain financially. In the last six months of 2007, Symantec observed 345 unique phishing URLs with IP addresses hosted in India. Symantec also observed more than 400 unique phishing attacks on reputable Indian banks. Out of these, some of the attacks involved the use of compromised ‘.gov’ servers to launch phishing attacks on other brands.”

Here we will also look at the some of the cases where Indian banks and other enterprises that have fallen victim to phishing attacks. According to a new survey conducted by Singapore-headquartered software product company, ReadiMinds, around 30% of India’s top banks have fallen victim to identity theft in the last one year. There have been reports of phishing incidents on India’s large state-owned banks like the State Bank of India and large private banks like ICICI Bank and UTI Bank, in recent past. As per the findings of UTI Bank’s security department, the phishers have sent more that 1,00,000 e-mails to account holders of UTI Bank as well as other banks.

On January 4, 2008 and January 10, 2008, top banking organizations HDFC and ICICI were targets of phishing attacks in which e-mails were directed to users that said the banks were updating their online security mechanism, so the user should key-in his banking information in the Web site that the fake e-mail led them to. Considering that ‘phishing’ was pretty much unheard of in India a few years back, this frequency is something to be concerned about.

“In 2005, there were only two banks which were attacked in India. This number increased to 12 banks being attacked during 2006-2007. In September-October 2006, India was among the top 10 countries hosting phishing sites. Financial services was the most targeted industry sector accounting for 91.5% of all attacks in the month of September 2006,” commented Singh from Websense.

Conceding that phishing has targeted almost every bank and other such institutes in India, including ICICI, HDFC or HSBC banks, Vijay Merchant, VP-Marketing, Micro Technologies, added, “Recently, ICICI lodged a complaint against phishing. A customer had complained about an irrelevant inquiry about account details and when the police looked into the case it was found to be a case of phishing.”

Apart from these, industry experts are seeing a shift of phishing targets—from high profile big brands like Citicorp or eTrade to community banks and smaller financial institution which spent way less in customer education and anti-phishing protection. Their users would be an easier target as well.

Anti-phishing solutions

All employees of an organization who utilize the Internet are susceptible to phishing attacks. Enterprises require an integrated Web security solution that provides employees and organizations protection from phishing and fraud-based attacks. Phishing threats can be mitigated by blocking access to phishers’ malicious Web sites, thereby rendering the phishing attack harmless. Integrated Web security solutions need to be deployed that prevent spyware, malicious mobile code, and other Web-based threats, key-logger, back-channel transmissions, etc., to host sites.

Enterprises also need to protect employees from phishing and pharming, and control the sending and receiving of instant messaging attachments. A real-time security update is essential for immediate protection from new security threats with reporting and analysis that provide organizations with information on user access to fraudulent sites or vulnerability to malicious code.

Govind Rammurthy, CEO and MD, MicroWorld, said, “Anti-phishing solutions such as, blacklisting phishing Web sites, blacklisting mails from unknown phishers, maintaining a database of blacklisted phishing Web sites are proving effective. On the other hand, network intrusion and anti-hacking devices need to be installed on the Web server along with software that authenticates the domain from which mails are sent.”

As the security industry has recognized the shortcomings of its different solutions, a new generation of security solutions is shipping with promises of broad visibility and control. These new tools shift the protection emphasis from guarding enterprise infrastructure from inbound attacks—a model suited to perimeter boundaries and the Internet as a content resource—to guarding essential information from outbound data loss, in tune with Web 2.0 and the Internet as a business platform.

Edwin Christopher, Security Analyst, SecureSynergy, added, “We have an anti-phishing solution called TPS that stands for Total Protection Service, which includes anti-virus, anti-spyware, desktop firewall and browser protection. This managed service is provided by SecureSynergy from an ISO 27001 certified NOC.”

Phishing cannot be handled by a technology solution alone. Solution can be achieved by the right blend of technology, policy guidelines and user awareness. A two-pronged approach to stopping these attacks has also worked best. Stopping consumers who might be visiting fraudulent sites as well as blocking botnet communications, which often serve as the distribution method for these attacks can help solve the problem.

Raghu Raman, CEO, Mahindra Special Services Group, added, “I believe technology-based as well as pattern-analytic solutions would prove effective in curbing phishing attacks. I guess the most powerful tool is ‘education’, wherein the banks and other financial institutions need to educate their customers on computer security so that they would be aware what a phishing Web site is and how do they tackle it. It is essentially to change the whole behavior of the users.”

Besides anti-phishing solutions, users need to follow certain guidelines that would protect them from phishing thefts. As pointed out by Srinivas Sripada, Vice-president, Quality, Perot Systems, “There should be user level awareness of not sharing confidential data, users must avoid banking at cyber cafes, giving away card and account details, not replying to unknown mails, being aware of spoofed e-mails and spam mails. Customers should also be aware of e-mail messages that ask for account information such as login ids, PIN details, card details, and ensure e-mails received is digitally signed to be sure that the mail has come from a genuine source.”

nivedan.prakash@expressindia.com