Who Will the Phishers Spoof Next? Could Be You.
By Neil Schwartzman
Senior Director, Security Strategy, Receiver Services
Banking online is awesome. The ease, the convenience, the flexibility – what an improvement over bankers’ hours and drive-up pneumatic tubes! And you know it’s trustworthy the same way you find your bank building: look for the logo. Right?
Nope. This is the internet. Anyone can steal anybody else’s logo, set up a web site, and fool millions of people.
What a bummer.
Phishing and related crime is quickly eroding all of confidence in the safety of our personal and financial information online; things are getting worse in this area by the day. And they’re not just getting worse for the banks. Recently, a bank held a corporate customer responsible for financial losses they incurred after being attacked.. Banks don’t like to lose money, so this may become a more frequent story as losses continue to mount.
Dr. Larry Ponemon, president of the Poneman Institute, was recently quoted as saying that data breaches were up 600% in the last year. He said the average cost per record lost is $204. Think of how many records you’ve got in your customer database, just one file on one server. It adds up fast.
Nobody’s more aware of these issues than the Anti-Phishing Working Group (APWG), an organization consisting of technologists, bankers, researchers, law enforcement, and other interested parties (we recently became a member, as well.) Their latest report was recently released, and from their perspective as well, things simply don’t look good for businesses on the net. More brands — their names, logos, domains, everything — are being misused in phishing, and the numbers of unique attacks and payload websites have increased to all-time highs.
A few data points from the report easily illustrate how serious the problem has become:
- “When comparing Q3 2009 to Q3 2008, we observed a 19 percent increase in unique brands being targeted and an 85 percent increase of domain names used in phish attacks.”
- The number of unique phishing reports submitted to APWG reached an all-time high of 40,621 in August, nearly 5.5 percent higher than the previous record of 38,514 in September 2007. And that’s only what they hear about; the majority go unreported.
- The number of unique phishing websites detected by APWG researchers reached a new record in August with 56,362, an increase of nearly 1.3 percent more than the former record of 55,643 in April 2007.
While the financial services and payment sectors are still the predominate vectors of attack, APWG Chair Dave Jevans was quoted on the Bank Info Security blog forecasting corporate bank accounts as the primary current concern:
What really worries Jevans is the targeting of corporate bank accounts and high-wealth customers, as well as the circumvention of authentication technology. “These criminals are rapidly figuring out how the financial industry works, where there is big money and large transfers, so they can basically do large wires out of these accounts without setting off fraud alerts.”
What does this mean for networked companies?
Now, more than ever is time for you to deploy authentication schemes in your email. To start, as everyone’s been saying for years, publish SPF records using “-all” so that receivers who pay attention to SPF know they can safely reject all other messages. Next, deploy DKIM to begin seriously protecting your domains. Return Path published a series of articles on DKIM that we strongly suggest your technical staffers review, and act upon as soon as possible. For added incentive, DKIM will become a standard for our Certification programs later this year.
Obviously, with crimeware running rampant, it is essential to your security that you maintain the highest level of standards on your internal network. All hardware (laptops & desktops, servers, routers, and everything else) and software should be patched as quickly as possible, checks for updates should be performed daily. Remember, despite their best attempts, even he best anti-virus and anti-spyware software catch less than 50% of all the exploits in the wild, there are dozens of pieces of malware using zero-day vulnerabilities out there. The least we can do is clamp down of known issues.
Many security researchers state unequivocally that you should stop using Microsoft Internet Explorer — and the governments of Germany and France agree. Google and even Microsoft say you shouldn’t use IE6 anymore, and should instead upgrade to version 8. But this isn’t just about IE; the important thing is that you need to be ready to question every IT policy — and don’t assume that your vendors will always be transparent when their software is unsafe.
BRAND REPUTATION MONITORING
Using our free senderscore.org, you can see which IP addresses are sending mail purportedly from your domain. Are those IPs all under your control? If not, why are they pretending to be you?
If you’d like to dig deeper into the answers to those questions — and you’re signing your mail with DKIM, or getting ready to start — we’ve got a new product in the works which should help, and we’re looking for a few more pilot customers. Contact us for more information.
Everybody who is paying attention to phishing these days sees the ever increasing threat to businesses on the Internet. It is no longer limited to banks and payment services; the bad guys may go after your corporate bank account, your servers, your customer list, your email systems, and then use those to go after your customers and your partners. Even if your security is perfect and they don’t get any of those things, they’ll still “borrow” your brand. In that case, the best you can hope for is that they’ll merely tarnish your social reputation. Brand protection is now a standard cost of business online.