Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Pharming also aims to collect personal information from unsuspecting victims by essentially tinkering with the road maps that computers use to navigate the Web. You don't want either one working its evil genius on you, your employees or your customers. Here's how to be on your guard against both phishing and pharming. Last updated: April 2009
- What is phishing?
- Can we prevent phishing attacks?
- What can my company do to reduce our chances of being targeted?
- What plans should my company have in place before a phishing incident occurs?
- How can we quickly find out if a phishing attack has been launched using our company's name?
- How can we help our customers avoid falling for phishing?
- If an attack does happen, how should we respond?
- Any legal/regulatory requirements we should be aware of?
- What action can we take against the phishers themselves?
- How might phishing attacks evolve in the near future? (E.g. "spear-phishing)
- How can we guard against pharming attacks?
Q: What is phishing?
A: Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Typically, a phisher sends an e-mail disguised as a legitimate business request. For example, the phisher may pass himself off as a real bank asking its customers to verify financial data. (So phishing is a form of "social engineering".) The e-mail is often forged so that it appears to come from a real e-mail address used for legitimate company business, and it usually includes a link to a website that looks exactly like the bank's website. However, the site is bogus, and when the victim types in passwords or other sensitive information, that data is captured by the phisher. The information may be used to commit various forms of fraud and identity theft, ranging from compromising a single existing bank account to setting up multiple new ones.
Early phishing attempts were crude, with telltale misspellings and poor grammar. Since then, however, phishing e-mails have become remarkably sophisticated. Phishers may pull language straight from official company correspondence and take pains to avoid typos. The fake sites may be near-replicas of the sites phishers are spoofing, containing the company's logo and other images and fake status bars that give the site the appearance of security. Phishers may register plausible-looking domains like aolaccountupdate.com, mycitibank.net or paypa1.com (using the number 1 instead of the letter L). They may even direct their victims to a well-known company's actual website and then collect their personal data through a faux pop-up window.
Can we prevent phishing attacks?
Companies can reduce the odds of being targeted, and they can reduce the damage that phishers can do (more details on how below). But they can't really prevent it. One reason phishing e-mails are so convincing is that most of them have forged "from" lines, so that the message looks like it's from the spoofed company. There's no way for an organization to keep someone from spoofing a "from" line and making it seem as if an e-mail came from the organization.
A technology known as sender authentication does hold some promise for limiting phishing attacks, though. The idea is that if e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. It would be sort of an Internet version of caller ID and call blocking.)
Although the concept is straightforward, implementation has been slow because the major Internet players have different ideas about how to tackle the problem. It may be years before different groups iron out the details and implement a standard. Even then, there's no way of guaranteeing that phishers won't find ways around the system (just as some fraudsters can fake the numbers that appear in caller IDs). That's why, in the meantime, so many organizations—and a growing marketplace of service providers—have taken matters into their own hands.
What can my company do to reduce our chances of being targeted by phishing attacks?
In part, the answer has to do with NOT doing silly or thoughtless things that can increase your vulnerability. Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. For example, in May 2004, Wachovia's phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it.
As Wachovia learned, companies need to clearly think through their customer communication protocols. Best practices include giving all e-mails and webpages a consistent look and feel, greeting customers by first and last name in e-mails, and never asking for personal or account data through e-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, but instructing customers to bookmark key pages or linking to special offers from the homepage is a lot more secure. That way, companies are training their customers not to be duped.
It also makes sense to revisit what customers are allowed to do on your website. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. At a minimum, companies should acknowledge every online transaction through e-mail and one other method of the customer's choosing (such as calling the phone number on record) so that customers are aware of all online activity on their accounts. And to make it more difficult for phishers to copy online data-capture forms, organizations should avoid putting them on the website for all to see. Instead, organizations should require secured log-in to access e-commerce forms.
At the end of the day, though, better authentication is the best way to decrease the likelihood that phishers will target your organization. Banks are beginning to experiment with technologies like RSA tokens, biometrics, one-time-use passwords and smart cards, all of which make their customers' personal information less valuable for phishers.
One midsized bank was able to cut its phishing-related ATM card losses by changing its authentication process. Every ATM card has data encoded on its magnetic strip that the customer can't see but that most ATM machines can read. The bank worked with its network provider to use that hidden information to authenticate ATM transactions—an important step that, according to Gartner, only about half of U.S. banks had taken by mid-2005. "Since the number isn't printed on the back of the card, customers can't accidentally disclose it," the bank's CISO explained. The information was already in the cards, so the bank didn't have to go through an expensive process of reissuing cards. "It was a very economical solution, and it's been very effective," said the CISO.
What plans should my company have in place before a phishing incident occurs?
Before your organization becomes a target, establish a cross-functional anti-phishing team and develop a response plan so that you're ready to deal with any attack. Ideally, the team should include representatives from IT, internal audit, communications, PR, marketing, the Web group, customer service and legal services.
This team will have to answer some hard questions, such as:
* Where should the public send suspicious e-mails involving your brand? Set up a dedicated e-mail account, such as email@example.com, and monitor it closely.
* What should call center staff do if they hear a report of a phishing attack? Make sure that employees are trained to recognize the signs of a phishing attack and know what to tell and ask a customer who may have fallen for a scam.
* How and when will your organization notify customers that an attack has occurred? You might opt to post news of new phishing e-mails targeting your company on your website, reiterating that they are not from you and that you didn't and won't ask for such information.
* Who will take down a phishing site? Larger companies often keep this activity in-house; smaller companies may want to outsource.
- If you keep the shut-down service in-house, a good response plan should outline whom to contact at the various ISPs to get a phisher site shut down as quickly as possible. Also, identifying law enforcement contacts at the FBI and the Secret Service ahead of time will improve your chances of bringing the perpetrator to justice.
- If a vendor is used, decide what the vendor can do on your behalf. You may want to authorize representatives to send e-mails and make phone calls, but have your legal department handle any correspondence involving legal action.
* When will the company take action against a phishing site, such as feeding it inaccurate information or exploiting vulnerabilities in its coding? Talk out the many pros and cons beforehand.
* How far will you go to protect customers? Decide how much information about identity theft you'll give to customers who fall for a scam, and how this information will be delivered. You should also talk through scenarios in which you will monitor or close and re-open affected accounts.
* Are you inadvertently training your customers to fall for phishing scams? Educate the sales and marketing teams about characteristics of phishing e-mails. Then, make sure legitimate e-mails don't set off any alarms.
How can we quickly find out if a phishing attack has been launched using our company's name?
Sometimes a new phish announces itself violently, as an organization's e-mail servers get pummeled with phishing e-mails that are bouncing back to their apparent originator. There are other ways to learn about an attack, though—either before or after it occurs.
a) Monitor for fraudulent domain name registrations.
Phishers often set up the fake sites several days before sending out phishing e-mails. One way to stop them from swindling your customers is to find and shut down these phishing sites before phishers launch their e-mail campaigns. You can outsource the search to a fraud alert service. These services use technologies that scour the Web looking for unauthorized uses of your logo or newly registered domains that contain your company's name, either of which might be an indication of an impending phishing attack. This will give your company time to counteract the strike (more on that later).
b) Set up a central inbox.CSO. To do this, organizations typically set up one e-mail address where all suspected phishing e-mails are directed, with an address such as firstname.lastname@example.org or email@example.com. Ideally, this central inbox should be monitored 24/7.
The easiest and most effective way to find out if your organization is being targeted by phishers is simply by giving the general public a way to report phishing attacks. "It's your customers and noncustomers who are going to be the ones that tell you that the phish is out there," said one security manager interviewed for a case study published in
c) Watch your Web traffic.Internet Storm Center recommends that by examining Web traffic logs and looking for spikes in referrals from specific, heretofore unknown IP addresses, CSOs may be able to zero in on sites used for large-scale phishing attacks.
After gathering victims' information, many phishing sites then redirect the victim to a log-in page on the real website the phisher is spoofing. SANS's
d) Hire a firm to help.Brandimensions hosts a vast, interconnected network of domain names and e-mail addresses intended solely to attract phishing e-mails and other spam. They're called honeypots. Entire websites are built to publish e-mail addresses, point to one another, and thereby attract the attention of automated Web crawlers that compile spam lists. The company then uses "relevancy detection software" to flag the e-mails that could be most damaging to its customers.
The same companies that scan the Internet for unauthorized uses of your logo can also monitor for active phishing sites. For example, Toronto-based
How can we help our customers avoid falling for phishing?
People who know about phishing stand a better chance of resisting the bait. "The best defense is that a consumer has heard of phishing and is unlikely to respond," says Patricia Poss, an attorney with the Bureau of Consumer Protection at the Federal Trade Commission. Must be trained to think twice about replying to any e-mail or pop-up that requests personal information.
Teach employees how to recognize spoofed e-mail. Similarly, warn your customers about the dangers of phishing, and let them know you'll never ask for their account number, password, Social Security number or any other personal information via e-mail. Train them to avoid clicking on e-mail links to reach you and instead to type your company's URL directly into a new browser window.
The oft-targeted PayPal, for instance, has a Security Center on its website that includes an e-commerce safety guide, fraud protection tips for buyers and sellers, a link to let users report spoof e-mails and a prominent reminder to log in to PayPal by opening a new browser window and typing in the URL. Some companies also do physical mailings to customers.
However, there's only so much that customer education can do. The onus is also on the organization to limit the damage by shutting down the phishing site.
If an attack does happen, how should we respond?
Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).
Step 1) Gather basic information about the attack. This should include screen shots of the website plus the URL.
Step 2) Contact the ISP (or whoever is hosting the website). Explain the situation and ask that the site be shut down. Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website's owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). "You say, Hey, did you know there's a URL on your website that's a phishing attack?" says Hugh Hyndman, CTO of Brandimensions. "They look at it and go, Oh my God, and they remove that website."
How well an ISP is likely to respond depends on both the ISP and an organization's relationship with it. "If you have good relationship with the ISP, you can get the site down in a matter of hours," says Dave Jevans, chairman of the Anti-Phishing Working Group. "Sometimes." Other times you won't be so lucky. Seventy percent of phishing sites are hosted outside of the United States, so you may need a translator. You also may need to do some delicate negotiations to convince the ISP to throw the switch on a paying customer. If the representative hems and haws and says that policing the Internet is not his job, Jevans says, "rattle a few sabers" and threaten to call law enforcement.
In the most difficult scenario, a phishing site is domain-based. Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe.
Step 3) Contact law enforcement. Although this is an important step, be warned that it isn't necessarily the most effective way to get the site shut down quickly. The FBI and Secret Service are more concerned with patterns and big busts than individual ones, and until a customer has fallen for a scam and suffered damages, there may have been no law broken. Nevertheless, agents may be able to intervene on your behalf—and who knows, your case may be part of the bigger picture investigation needed to shut down a given fraudster. (This has happened. In May 2005, a 20-year-old Texas man was sentenced to almost four years in prison for phishing.)
By establishing a relationship with law enforcement, you'll come to understand when agents want information about what kinds of attacks. For instance, the bank in the aforementioned CSOcase study gets a compact disc from its vendor with information about each phish, and a copy of that CD is then passed on to the FBI, which looks for patterns or anomalies in the attacks.
Does all this sound like too much for your company? Then pay someone else to do it for you. The marketplace is brimming right now with companies that will do the dirty work. Brandimensions, Cyota, MarkMonitor and others offer anti-phishing services.
Responders at a good service provider will have expertise in working their way up the network stream seeking someone who can and will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that's directing the URL to a given IP address. They'll send e-mails and faxes; they'll make phone calls. If necessary, they'll send notices threatening legal action. Often, when the site is hosted outside the United States, they'll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon. The end result? The phishing website might be up for hours instead of days.
Any legal/regulatory requirements we should be aware of?
Regulatory requirements depend on your organization and industry, but the financial services industry in general is being pushed to action. Two examples:
* The Treasury Department's Office of the Comptroller of the Currency issued a bulletin in July 2005 that outlined the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.
* In December 2004, the Federal Deposit Insurance Corp. issued guidelines for how financial institutions can mitigate phishing risks. The document warns that "the financial service industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security" and describes better options, such as two-factor authentication. (View the table of contents for "Putting an End to Account-Hijacking Identity Theft.")
What action can we take against the phishers themselves?
Takedown, which essentially just relocates the problem, may be the only aggressive form of defense that the targeted company has. Prosecutions of phishers have been rare, due to the difficulty of tracing how personal information has been captured, sold and exploited.
However, when a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing site—the goal being to "dilute" the real information, making the phisher's haul less valuable.
Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of service—an attack in which so much bogus traffic floods a website that it collapses. Jevans, of the Anti-Phishing Working Group, laughs when asked about dilution. "That's the polite term," he says. "Denial of service"—the impolite term—"is illegal. Which is why you find not everybody is using dilution."
Vendors may counter that dilution is significantly different from a denial-of-service attack because the Web traffic is supposed to at a reasonable enough rate to look like actual users. Still, most companies are leery of the practice. The bank profiled in CSO, for example, decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank "significant" losses.
How might phishing attacks evolve in the near future?
As phishing e-mails and websites have grown more sophisticated, phishers also have changed the kinds of companies they are spoofing. Early phishing e-mails usually targeted large banks, credit card companies, online payment services, ISPs and large online retailers. As those large companies put defense mechanisms in place to limit the damages, phishers have moved on to smaller companies that may be less prepared to defend themselves.
At the same time, phishers have also grown more sophisticated in their use of e-mail address lists. A phishing e-mail targeting a regional credit union, for example, may be sent only to customers who use ISPs located in that same area. The latest and perhaps ultimate personalization? A technique known as "spear phishing," in which e-mails are customized for particular users. One scam targeted just executives at certain kinds of companies. Security analyst Steve Hunt reports another spear-phishing scam in which he received a text message from a "bank" directing him to call a telephone number; the number yielded a recorded voice asking for his debit card number and PIN.
Meanwhile, as customers become more savvy about the risks of divulging personal information, fraudsters are looking for ways to gather information without the victims' knowledge. This is often done with a method known as pharming. Like phishing, pharming aims to collect personal information from unsuspecting victims. The difference is that pharming doesn't rely on e-mail solicitation to ensnare its victims. Instead, this attack method essentially tinkers with the road maps that computers use to navigate the Web, such that large numbers of users can wind up giving personal data to a bogus site even if they've typed in a legitimate URL.
Pharming combines a mix of mainstream threats such as viruses and spyware, plus more esoteric stuff such as domain spoofing and DNS poisoning. In one scenario, a user receives some kind of malware (virus, worm, Trojan horse or spyware) that rewrites local host files, which convert URLs into the number strings that computers use to find and access websites. Then, for example, when the user types a legitimate bank's URL into the browser window, the computer is misdirected to a bogus but authentic-looking website of the same sort that might be used in a phishing attack. In another scenario, a hacker poisons a more public DNS directory cache (at an ISP, for instance), again leading unsuspecting Internet users to phony sites.
In either case, potentially large numbers of users are drawn to the fraudulent sites or proxy servers (a computer that sits between the user and the real server and captures information as it passes through), where criminals can track activity and gather credit card data and personal identification numbers.
Pharming is technically harder to accomplish than phishing. To execute a phishing attack, a hacker needs to be able to create a plausible URL, a decent webpage and an e-mail message. This is not hard. Pharming, on the other hand, requires knowledge of how to manipulate DNS caches or gain access to someone's computer files or servers to change settings. But it can also be more damaging, because even savvy computer users may have no idea that their information has been compromised.
How can we guard against pharming attacks?
Just as pharming is more technically difficult to pull off than phishing, it's more technically complicated to protect against. Here are some basics.
a) Deploy technologies such as intrusion prevention and antivirus software, desktop firewalls with filters to look for spyware, and logging software to look for particular events such as spikes in DNS traffic or spikes in e-mail traffic from a single user.
b) Make incident response teams aware of the threat, and teach employees and customers how to avoid pharming incidents. Also ramp up education efforts aimed at business partners, especially for smaller companies that might need help to deal with the pharming threat.
c) Place controls on DNS servers, such as host-based intrusion detection systems, to prevent visitors or customers to websites from inadvertently participating in a pharming attack. There are also some vendors that focus on DNS security, such as UltraDNS.
d) Be prepared to have Internet service providers quickly shut down malicious sites that are set up for pharming. Consider moving ahead with plans for stronger authentication technologies that control access to systems that could be targets of pharmers.
e) Follow developments such as the progress of the DNSSEC standards, and ensure that your company's ISPs have the proper controls on their DNS directories and servers.
This resource has been compiled from articles in CSO magazine. Contributing writers include Alice Dragoon, Sarah D. Scalet and Bob Violino. E-mail feedback to Editor Derek Slater at firstname.lastname@example.org.
The Anti-Phishing Working Groupwww.antiphishing.org