Phishers are using a lesson learned from virus and worm writers to improve their chances of success. Over time virus and worm authors discovered that is was not necessarily the malicious payload of their craft that was alerting the internet community that trouble was on the way. It was the “Internet noise” they created while looking for vulnerable hosts. This noise resulted from increased traffic to specific ports or in bandwidth-crippling floods of attempted connections to every single host within a large subnet or domain.
Hackers soon learned for example that if a worm took advantage of a Windows IIS IV web server vulnerability the hacker should simply attack only known Windows IIS IV machines. This dramatically reduced the noise and there by reduced the ability of the internal security community to understand quickly what was going on and develop the necessary countermeasures in a timely manner.
Those involved in Phishing attacks have realized that reducing the tell-tale “noise” from mounting a targeted attack is not rocket science, it is simply a logical evolution. Why risk spamming a mass audience and creating “noise” on the Internet when you can reduce your exposure by simply focusing on a select target group of addresses that have a high probability of success.
Who would be a better candidate for having an account at a bank than perhaps a bank employee?
I had an opportunity to meet with security experts from a number of financial organisations at a conference I was speaking at recently. They noted that in the past year that Phishers were actually getting better at writing the emails they used in their attacks. Previously, in many cases the poorly written spam emails from Phishers would quickly blanket an entire country, with a relatively small percentage of recipients having a probability of actually even having an account at the specific Bank. The language/grammar was often poor and clearly not written by a native speaker. The large address pool used and the speed at which the emails were being broadcast were easy triggers for filters that would bring immediate attention and alert the internal security community.
The quality of the emails in terms of spelling and grammar which was previously a dead giveaway has markedly improved, limiting a previous tell-tale sign of a Phishing email.
More importantly, it was noted that for the past 6 months Banks have seen more and more Phishing emails directed at their own employees. The Phishers appear to have recognized that by limiting the spam emails to employees of the Bank by reducing the size of the pool of address and by also slowing the rate at which the emails were sent, they could potentially reduce the chances that the Phishing emails would trigger alerts and therefore increase their chances of success. Thankfully the Banks I have spoken to have already taken a sound, layered approach to security and made the adjustments necessary to fend off this new targeted methodology from malicious Phishers.
Targeted Phishing is an evolution of the art and is easily pulled off:
Creating a list of prospective victims within an organization is easy. Freely downloadable tools like “Atomic Harvester” are available on the internet that allow anyone to scour the Internet in search of email addresses on web pages and in news group postings for any given domain (i.e. *@yourbank.com) in order to develop selection of high probability targets. Further, inadequately protected mail servers allow a phisher to easily harvest an organization’s entire email address directory by simply using a common command “Expand” that returns all of the individual email addresses used in common email group alias such as email@example.com or firstname.lastname@example.org
The same fine tuning by malicious hackers that has evolved into Targeted Phishing in the finance sector has also recently occurred at government departments and credit unions with credit union employees being the selected focus of the Phishing attack targeting the credit union. Again, by targeting a smaller group of email addresses and sending the emails out at a rate that does not trigger common security filter alarms, this new methodology used by Phishers has the potential to dramatically improve their chances of success.
The BlackHat community is well known for its ability to quickly communicate new ideas within the population for wreaking havoc on the Internet. Hence it can be a safe assumption that this the new targeted Phishing attack methodology will spread quickly across the Internet.
For individuals that are targeted in these attacks the typical steps to protect yourself from ordinary ID Theft still apply with minor modifications to meet the additional risks imposed with targeted ID theft:
- Be certain your PC’s operating system is up-to-date with the latest security patches as well as your Anti Virus and Firewall software.
- No matter how official it looks never click on an embedded URL contained in any email even when it appears to come from your own organization. Manually enter the URL in your browser address bar for your banking and credit card websites.
- Do not fill in forms contained within email including those that may appear to come from within your own organization. Your personal financial information should never be sent by email. Only send your personal financial information via a secure website – verify that the URL contains https:// and that the closed lock appears on the lower right hand side of the browser for a secure website connection.
- Never click on an email attachment unless you know the sender and you were, in fact, expecting to receive the attachment.
- Monitor your banking and credit card accounts online and check for illegitimate transactions regularly.
- Use an online credit monitoring service that offers alerts when there are any changes to your credit report (i.e. new accounts and purchases).
- Register with a credit card security system that requires a password to authorize transactions, such as Verified by Visa or MasterCard SecureCode.
- Do not use the auto- fill facility on websites for credit card and other personal details.
- Use alternative secure online payment systems such as PayPal.
- Finally, common sense is your best defense– if it looks too good to be true then it probably is.
For the organizations that are the subject of these attacks, beyond the typical best practices for network security, consider the following additional suggestions as additional risk mitigation for targeted ID theft:
- Review and if necessary revise your security policies and procedures and be sure they address the many issues of ID Theft for both the organization, your clients and your employees
- Take a multi level security approach to ID theft
- Evaluate internal controls and procedures;
- Don’t limit authentication to the user – authenticate both the user and the individual transaction separately and independently;
- Use two factor authentication – but not simply as a replacement for single factor authentication;
- If you are not using fraud detection methodologies they should absolutely be considered in light of the explosive growth of ID Theft.
- Communicate with your customers and employees
- Let them know you would never include a clickable URL within and email;
- Let them know in any email you would address them by their first and last name;
- Let them know you would not send them an email attachment that they would not have been already expecting;
- Always remember that your biggest bang for your buck typically comes from user awareness training for both your employees and your customers.
- Continuously monitor current threats and make the necessary adjustments in a timely manner – time is not on your side when confronting today’s menaces, either internal or external, on your enterprise network.