Home » Data Protection » Network Security

Basics

Phishing: The Basics

Here's how to be on your guard against phishing attacks

Page 3

If an attack does happen, how should we respond?

Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).

Step 1) Gather basic information about the attack. This should include screen shots of the website plus the URL.

Step 2) Contact the ISP (or whoever is hosting the website). Explain the situation and ask that the site be shut down. Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website's owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). "You say, Hey, did you know there's a URL on your website that's a phishing attack?" says Hugh Hyndman, CTO of Brandimensions. "They look at it and go, Oh my God, and they remove that website."

How well an ISP is likely to respond depends on both the ISP and an organization's relationship with it. "If you have good relationship with the ISP, you can get the site down in a matter of hours," says Dave Jevans, chairman of the Anti-Phishing Working Group. "Sometimes." Other times you won't be so lucky. Seventy percent of phishing sites are hosted outside of the United States, so you may need a translator. You also may need to do some delicate negotiations to convince the ISP to throw the switch on a paying customer. If the representative hems and haws and says that policing the Internet is not his job, Jevans says, "rattle a few sabers" and threaten to call law enforcement.

In the most difficult scenario, a phishing site is domain-based. Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe.

Step 3) Contact law enforcement. Although this is an important step, be warned that it isn't necessarily the most effective way to get the site shut down quickly. The FBI and Secret Service are more concerned with patterns and big busts than individual ones, and until a customer has fallen for a scam and suffered damages, there may have been no law broken. Nevertheless, agents may be able to intervene on your behalf—and who knows, your case may be part of the bigger picture investigation needed to shut down a given fraudster. (This has happened. In May 2005, a 20-year-old Texas man was sentenced to almost four years in prison for phishing.)

By establishing a relationship with law enforcement, you'll come to understand when agents want information about what kinds of attacks. For instance, the bank in the aforementioned CSOcase study gets a compact disc from its vendor with information about each phish, and a copy of that CD is then passed on to the FBI, which looks for patterns or anomalies in the attacks.

Does all this sound like too much for your company? Then pay someone else to do it for you. The marketplace is brimming right now with companies that will do the dirty work. Brandimensions, Cyota, MarkMonitor and others offer anti-phishing services.

Responders at a good service provider will have expertise in working their way up the network stream seeking someone who can and will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that's directing the URL to a given IP address. They'll send e-mails and faxes; they'll make phone calls. If necessary, they'll send notices threatening legal action. Often, when the site is hosted outside the United States, they'll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon. The end result? The phishing website might be up for hours instead of days.

Any legal/regulatory requirements we should be aware of?

Regulatory requirements depend on your organization and industry, but the financial services industry in general is being pushed to action. Two examples:

* The Treasury Department's Office of the Comptroller of the Currency issued a bulletin in July 2005 that outlined the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.

* In December 2004, the Federal Deposit Insurance Corp. issued guidelines for how financial institutions can mitigate phishing risks. The document warns that "the financial service industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security" and describes better options, such as two-factor authentication. (View the table of contents for "Putting an End to Account-Hijacking Identity Theft.")

What action can we take against the phishers themselves?

Takedown, which essentially just relocates the problem, may be the only aggressive form of defense that the targeted company has. Prosecutions of phishers have been rare, due to the difficulty of tracing how personal information has been captured, sold and exploited.

However, when a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing site—the goal being to "dilute" the real information, making the phisher's haul less valuable.

Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of service—an attack in which so much bogus traffic floods a website that it collapses. Jevans, of the Anti-Phishing Working Group, laughs when asked about dilution. "That's the polite term," he says. "Denial of service"—the impolite term—"is illegal. Which is why you find not everybody is using dilution."

Vendors may counter that dilution is significantly different from a denial-of-service attack because the Web traffic is supposed to at a reasonable enough rate to look like actual users. Still, most companies are leery of the practice. The bank profiled in CSO, for example, decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank "significant" losses.