Information Security Forum Warns Against Increase In Trojan Phishing And The Use Of “Moles’

27 September 2005: A new report from the Information Security Forum (ISF) warns that Trojan-based attacks will take over from email phishing in the US and Europe as Trojans become more sophisticated and harder to stop. The ISF – a not-for-profit organisation with 260 members including half of the Fortune 100 – also highlights the increasing use of “moles’ placed in organisations to gain access to high-worth customers.

The rapid use of phishing by organised criminals is reflected in a survey of ISF members that shows that over a third of members have been affected by phishing attacks. Furthermore, over 30% of these have experienced more than 20 attacks.

The ISF report provides a detailed five-point strategy to tackle the threat of phishing attacks. But while two-factor or even three-factor authentication is seen as a strong preventative measure, the report suggests that savings from direct fraud alone do not currently justify the expenditure. Organisations should consider other factors such as reputational damage, regulatory intervention or loss of competitive advantage.

Significantly, the report points to better education of customers about phishing and identity theft as being a more immediate requirement. This should be supported by a strong anti-phishing policy, continuous Internet monitoring to identify phishing activity and brand misuse, and better internal protection. In particular, with criminal gangs planting and grooming company “moles’, the need to secure customer databases from internal attack is becoming increasingly important.

“We believe that email phishing will move away from English speaking regions to Asia, China and the Middle East, to be replaced by a surge in sophisticated and well-organised Trojan attacks,” said Andrew Wilson of the Information Security Forum. “Often, the first time an organisation knows that it is under attack is when customers notice money missing from their accounts, so it will become vital to put early warning mechanisms in place. These can include closely monitoring customer complaints and feedback for signs of attack, regular checking of web sites for the unauthorised use of logos and brand names and open-source intelligence gathering for indications of planned attacks.”

“Improving user awareness of Internet risks is key to fighting online fraud, but in a manner that does not risk losing customer-confidence in ecommerce and online banking,” adds Andrew Wilson.

The ISF report along with over 150 authoritative reports on information security issues is available to ISF members. Further information on the ISF can be found at www.securityforum.org.

About the ISF

The Information Security Forum was founded in 1989 and is a not-for-profit international association of over 260 leading organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme and has invested more than US$75 million to create a library of over 150 authoritative reports that are available free of charge to ISF Members.