Home » Data Protection » Network Security

Basics

Phishing: The Basics

Here's how to be on your guard against phishing attacks

Page 4

How might phishing attacks evolve in the near future?

As phishing e-mails and websites have grown more sophisticated, phishers also have changed the kinds of companies they are spoofing. Early phishing e-mails usually targeted large banks, credit card companies, online payment services, ISPs and large online retailers. As those large companies put defense mechanisms in place to limit the damages, phishers have moved on to smaller companies that may be less prepared to defend themselves.

At the same time, phishers have also grown more sophisticated in their use of e-mail address lists. A phishing e-mail targeting a regional credit union, for example, may be sent only to customers who use ISPs located in that same area. The latest and perhaps ultimate personalization? A technique known as "spear phishing," in which e-mails are customized for particular users. One scam targeted just executives at certain kinds of companies.

Meanwhile, as customers become more savvy about the risks of divulging personal information, fraudsters are looking for ways to gather information without the victims' knowledge. This is often done with a method known as pharming. Like phishing, pharming aims to collect personal information from unsuspecting victims. The difference is that pharming doesn't rely on e-mail solicitation to ensnare its victims. Instead, this attack method essentially tinkers with the road maps that computers use to navigate the Web, such that large numbers of users can wind up giving personal data to a bogus site even if they've typed in a legitimate URL.

Pharming combines a mix of mainstream threats such as viruses and spyware, plus more esoteric stuff such as domain spoofing and DNS poisoning. In one scenario, a user receives some kind of malware (virus, worm, Trojan horse or spyware) that rewrites local host files, which convert URLs into the number strings that computers use to find and access websites. Then, for example, when the user types a legitimate bank's URL into the browser window, the computer is misdirected to a bogus but authentic-looking website of the same sort that might be used in a phishing attack. In another scenario, a hacker poisons a more public DNS directory cache (at an ISP, for instance), again leading unsuspecting Internet users to phony sites.

In either case, potentially large numbers of users are drawn to the fraudulent sites or proxy servers (a computer that sits between the user and the real server and captures information as it passes through), where criminals can track activity and gather credit card data and personal identification numbers.

Pharming is technically harder to accomplish than phishing. To execute a phishing attack, a hacker needs to be able to create a plausible URL, a decent webpage and an e-mail message. This is not hard. Pharming, on the other hand, requires knowledge of how to manipulate DNS caches or gain access to someone's computer files or servers to change settings. But it can also be more damaging, because even savvy computer users may have no idea that their information has been compromised.

How can we guard against pharming attacks?

Just as pharming is more technically difficult to pull off than phishing, it's more technically complicated to protect against. Here are some basics.

a) Deploy technologies such as intrusion prevention and antivirus software, desktop firewalls with filters to look for spyware, and logging software to look for particular events such as spikes in DNS traffic or spikes in e-mail traffic from a single user.

b) Make incident response teams aware of the threat, and teach employees and customers how to avoid pharming incidents. Also ramp up education efforts aimed at business partners, especially for smaller companies that might need help to deal with the pharming threat.

c) Place controls on DNS servers, such as host-based intrusion detection systems, to prevent visitors or customers to websites from inadvertently participating in a pharming attack. There are also some vendors that focus on DNS security, such as UltraDNS.

d) Be prepared to have Internet service providers quickly shut down malicious sites that are set up for pharming. Consider moving ahead with plans for stronger authentication technologies that control access to systems that could be targets of pharmers.

e) Follow developments such as the progress of the DNSSEC standards, and ensure that your company's ISPs have the proper controls on their DNS directories and servers.

This resource has been compiled from articles in CSO magazine. Contributing writers include Alice Dragoon, Sarah D. Scalet and Bob Violino. E-mail feedback to Editor Derek Slater at dslater@cxo.com.

Other resources:

The Anti-Phishing Working Group
www.antiphishing.org