Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

Bank XYZ had just signed a 90-day trial contract with an antiphishing vendor. (The bank later inked a different vendor to a long-term arrangement.) On the conference call, the trial vendor suggested aggressive action, such as sending legal notices to those responsible for the bogus website, or peppering the site with bogus account information. The bank's lawyers fretted about those

options.

"We weren't really thinking we were going to be phished, even though we were preparing for it," Jones recalls. "It was all theory before that, and all the sudden it was happening to us. People were trying to make

decisions on the fly." The whole thing was a mess.

Todayâ¬More than 12 painful months laterâ¬when a new phishing attack occurs against Bank XYZ, a well-honed, streamlined incident response plan swings into action. With the active participation of information security, corporate security and other groups, the bank has made itself a less attractive target for phishers. The number of attacks has plummeted, from a peak of dozens

a day to only a handful a month, as phishers target smaller or easier prey.

In the hopes of helping other organizations wrestling with phishing attacks, the bank's CISO, Glen Williams, and other employees agreed to take CSO behind the scenes and share what they have learned. (The bank and its employees requested anonymity in order to not draw more targeted phishing attacks.) This is their phishing incident response process, start to finishâ¬from identifying a new attack, to working with a vendor to get the site taken down, to helping affected customers and finding other ways to limit the damages.

This is the death of a phish.

Discovery and Initiation

Although anyone with a published e-mail address might find it hard to believe, detecting a new phishing attack isn't always easy. That's why Bank XYZ's incident response starts with a formalized process for learning about new attacks quickly. The bank counts on three discovery methods: its own e-mail servers, the public at large and third-party services.

Of these methods, the vendor service is most complex. Brandimensions, which the bank has contracted to help with an unlimited number of phishing attacks, hosts a vast, interconnected network of domain names and e-mail addresses intended solely to attract phishing e-mails and other spam. Honeypots. Entire websites are built to publish e-mail addresses, point to one another, and thereby attract the attention of automated Web crawlers that compile spam lists.

"We get millions of e-mails a day," says CTO Hugh Hyndman of Brandimensions. "Our service and our whole technical infrastructure is based on our receiving and finding phishing attacks." Brandimensions uses "relevancy detection software" to flag the most damaging e-mails.