By now just about every person with an email inbox has been exposed to a phishing scam. Spoofs are showing up with alarming frequency and to make matters worse, criminals have upped the ante with increasingly sophisticated coding and graphics. Gone are the childishly misspelled emails from the High Prince of the Sudan. Advanced techniques leveraging secure phishing servers and high-quality reproductions have contributed to a lucrative criminal enterprise.
The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. The organization provides a forum to discuss phishing issues, define the scope of the phishing problem in terms of hard and soft costs, and share information and best practices for eliminating the problem. According to the APWG, the average phishing operation nets a 5% return on email spoofs. The percentage is alarming considering millions of addresses are included in a single phishing expedition. If a phisher gets 100 answers to his spoof and successfully scams each one for $100, it’s $100,000 easily made.
The demographic responding to phishing scams run the gamut from the overly trusting elderly to college professors too busy to think twice. As Dave Jevans, Chairman of the APWG explains, many instances of phishing victimization are the result of sheer coincidence. He uses the example of a consumer applying for credit with the local bank. The next day the consumer finds a spoofed email in his inbox and thinks it is related to his credit application. Acting dutifully, he provides his personal information.
While there is a great need for consumer education, the responsibility for preserving consumer trust falls to the corporations themselves. There are things that companies can do today to greatly minimize the effect of phishing, spoofs and spam.
“The APWG is seeing a huge increase in the sophistication of tricks being used to fool users into thinking that they’re going to a valid website. We’ve been seeing a lot of advanced Java scripts that effectively hide the real location of the server. Basically everything you can do to test that you’re really on a valid website will not provide any indication that the site has been spoofed. It’s very difficult for people to detect. In the last six weeks, the APWG has seen two different technologies deployed that effectively create web bars in your browser. Over the last week we’ve also seen the use of secure websites with certificates, displaying the padlock and the look of a secure connection. Of course it’s a secure connection to a phishing site, so they’re upping the game quite a bit,” says Jevans.
What’s a company to do?
“I think a very important step that many companies don’t take, is to educate your customers through warnings posted on your corporate website; detailing the things that you will never ask of your customers, updating them on scams, things of that nature. Companies that don’t take this very basic step are essentially ignoring the problem. “
“Another critical step companies can take is to monitor the registration of what we call “cousin domain names’ which are essentially similar to your company’s domain name. A rather famous cousin domain name that appeared recently was visa-security.com. That email was used to launch a phishing attack spoofing Visa and asking people to update their credit card information. Another recent example would be paypalr.com, which was used to obtain Paypal information,” Jevans explains.
An easy to implement, cost-effective approach to anti-phishing would be the monitoring of domain name registration. Companies should subscribe to a domain name service, such as Internet Identity, or Name Protect, that conduct audits of existing domain names. These services also provide lists of common names used in phishing, and often recommend that you purchase available related domain names. Additionally, they compile lists of domain names that other people own, names a company should be watching closely and regularly for suspect activity, i.e., “AOL-billing.com’.
Jevans explained that approximately 20% of phishing attacks originate from a cousin domain name. So what recourse does a company have when they’ve found out someone’s using a similar domain name?
“This is a critical issue companies are faced with right now,” says Jevans. “If someone launches a phishing attack against you and an event has actually occurred, or if they’ve set up a website with your graphics and content and they’re poised to launch an attack, you need to contact the domain name registrar and attempt to get the name revoked. However, domain name registrars may not comply with your request. If an attack has occurred, you should also immediately contact your local high tech crime unit, or Electronic Crimes Task Force (ECTF). “
All major cities in the U.S. have FBI local offices and a connection to computer fraud divisions. The FBI will also contact the registrar, tending to have a better response rate. In this multi-level approach, companies should also locate the ISP hosting the site, (which can be found by looking up the domain registrar), and ask the ISP to take down the site.
When asked whether laws would be helpful in preventing ISPs and domain name registrars from enabling criminal activity, Jevans answers, “There are laws now, but the issue isn’t really the law, it’s the process of those laws. A website that uses all of your graphics and identity is in violation of the Millennium Copyright Act. Even before a criminal has launched a phishing attack they are in violation of the law. A company can file a lawsuit to have that site taken down, or they can file a complaint. However, that’s a 90 day process and that doesn’t really help you. That’s when you have to start working the domain name registrar who may or may not comply. A lot of times, a registrar will want you to provide a court order before they’ll take the site down. So the law is there but it’s the process of enforcement that is at issue.”
“The APWG is working on technical standards for reporting suspicious sites and doing a take-down on them, but that’s going to be while in coming to fruition. It’s not just coming up with a standard of how to report these things. It’s also going to involve who can report what and how can we verify the information, and how can we prevent a malicious take-down of valid sites. Frankly, developing standards is going to take years,” notes Jevans.
It’s a wild-west email world at the moment. It’s spammers and spoofers, phishermen and organized crime against the brave, good citizens. Rogue ISP’s operating in far-flung corners of the earth are offering “bullet-proof sites’ that will remain online, “no matter what”. With a lack of cooperation from the worst offender nations, it’s a lawless frontier requiring the vigilante justice of town folk with pitchforks.
Jevans characterizes vulnerable companies as financial institutions and ISPs, eCommerce companies, and anyone doing business on the Internet. He recommends putting together a call list of organizations that need to be contacted when a phishing attack occurs. The list should contain contacts at the ECTF, FBI, and for financial institutions, it should also contain the Secret Service. It is recommended that companies make contact with these agencies as soon as possible to develop relationships so that when something occurs, they’ll know who you are and how to immediately address the issue.
It is also recommended that companies take a good look at their email infrastructure. Is it reliable? Does it have filtering capabilities? The APWG is seeing companies get overwhelmed with sudden bounced messages when a phishing attack occurs. It’s similar to an email denial of service attack. If a phisher launches an attack on millions of users and over one million of those addresses bounce back as invalid, overwhelming mail servers and taking them out of service, a company needs to enact filters to keep the attack from taking the server off line.
A sudden influx of bounced messages that a company did not initiate should indicate that a phishing attack is taking place somewhere in their name.
“A company needs to be able to monitor email bounce-backs. This is where a company can practice vigilance. You need to have a response plan and know what to do when this occurs. If you’re an online bank, are you going to turn off online banking for a couple of hours? Are you going to look in your web logs and track account access? Will you notice that suddenly all of your customers seem to have moved to Russia?” Asks Jevans.
“If you do business online and it’s an important part of your operations, it’s critical that your online channels aren’t compromised. It’s up to companies to make sure that they have the proper response plan and technologies in place before it happens. One of the trends that the APWG is has seen is that once phishing attacks start happening, a company continues to be a target of these attacks. This is primarily due to the work involved in setting up a sophisticated spoof. If it works once, a phisher will do it again and again, and then post the information on hacker websites or trade the information with other phishers.”
Unfortunately, there are many websites that provide phishing templates for hopeful spoofers. Though the process should be illegal, as Mr. Jevans points out, “It’s not illegal to have hacking tools, but it’s illegal to use them. If there is a copy of a phishing template out there that’s not being sold, one, how are you going to track who initiated the template, and two, there are fair use laws surrounding free downloadable copies. Another thing to consider is that most of these sites aren’t hosted in the U.S anyway. We know where the websites are. Many websites and chat rooms that are used for setting up attacks and exchanging or selling credit card numbers are known. They’re in countries where that practice isn’t illegal and where we have no U.S. jurisdiction. There’s a lack of cyber-crime cooperation with those countries,” Jevans explains.
The bottom-line question is whether or not the phishing problem will ever go away. Jevans responds, “Yes, and that brings me to the last thing that companies should do, and where the industry is going. The industry appears to agree that a large contributor to the problem is that you can freely spoof email addresses. There is the ability to spoof any email address you want, and that’s why people are getting emails that say “firstname.lastname@example.org’ or “support@Microsoft.com’. etc. If we can stop the spoofing of email, that should largely address the phishing problem and will be a key cornerstone to getting a handle on spam. Most spam comes from spoofed email addresses and you can’t block them.”
“A good portion of the industry has agreed that email authentication has to happen and happen soon. It will have a dramatic effect on phishing and allow us to get a handle on spam over time. The problem has been the various proposals on how to approach email authentication. There is an existing standard called S-MIME, but the big web mail providers don’t want to use S-MIME because they feel it’s too time-consuming. These providers have countered the proposals with Microsoft’s Caller ID, Yahoo’s Domain Keys, and the Internet Engineering Task Force (IETF) has Sender Policy Framework (SPF). You’ve got four competing standards on how to authenticate email. All of that has been churning since February 2004. The good news is that it appears the SPF proposal is going to merge with Microsoft’s Caller ID proposal. The MARID Working Group, who supports email authentication ID met with the SPF/Caller ID group and have agreed to merge the standards. If this truly happens and the industry energy surrounds that merger, than the Domain Keys and S-MIME proposals will fade away. Whichever proposal has the most momentum will be the one that takes off. It’s really about getting one of these widely implemented. The SPF/Caller ID merger has the most momentum behind it I would say. It’s the proposal to watch. By late June they have stated that they’ll have their first draft proposal of what the merger will look like. Hopefully by the end of the year this will come together so that people can start deploying it.”
Jevans believes that companies have recourse that costs them virtually nothing, and that is to publish SPF and Caller ID records in their DNS. In order to do this, companies can go to the SPF or the Microsoft site and download the specifications, which will instruct a user how to go to the domain name registrar and add these extra records into the company’s DNS. It’s an administrative task for the IT department to review the document and publish the authentication information. It’s a listing of what mail servers a company will be sending mail from, essentially stating in the DNS that email will only ever be sent from listed IP addresses.
“If some spammer or phisher tries to send email from another address pretending to be you, someone who’s implemented SPF or Caller ID, can look up the address and verify whether it’s you or not and they’ll be able to drop it. I feel strongly that companies should just do this now. It costs you nothing and those standards are going to be adopted. Any company that has an email gateway implementing these standards will be able to reject spoofed emails. The faster we make it happen, the better,” says Jevans.
The phishing problem will continue to grow in sophistication and voracity as long as companies turn a blind eye to the problem and consumers keep responding to spoofs. There is money to be made off of our apathy and lack of awareness and it’s a profitable business.
For more information on the Anti-Phishing Working Group, you can visit their site that provides useful information for companies and consumers alike, listing statistics, current analysis of recent phishing attacks, warnings and advice for phishing victims. People can also report phishing scams to the APWG through the website and read the latest news on the war against phishing.
Melisa LaBancz-Bleasdale is a freelance technology writer living in the San Francisco Bay Area.