http://www.ft.com/cms/s/0/7c03fd14-b011-11dd-a795-0000779fd18c.html
How fraudsters found bigger phish to fry By Rob Minto Published: November 11 2008 23:01 | Last updated: November 11 2008 23:01 If you thought spam was a problem, things are only set to get worse with phishing. Most e-mail users are used to spam - the irritating unsolicited e-mail trying to sell you something. It is easy to spot. But phishing, a form of fraudulent spam that attempts to get account information from individuals or install malicious programmes on their machines, is becoming smarter. For one thing, phishing e-mails have become slicker and more personalised. Richard Howard, director of intelligence at iDefense, a security intelligence company, says: "This is a trend change, from global to targeted. It is now senior executives in major financial institutions. And the bad guys aren't just after retail accounts but big commercial accounts. An e-mail asks you to go to a specific web page, and once you are there, they own you." The programming behind the e-mails is also becoming more sophisticated. According to Rik Ferguson, senior security adviser at TrendMicro: "This isn't bedroom coders any more - it's a mainstream business." A new malware (malicious software) programme is created every six seconds and, once installed, they are getting harder to detect. Part of the problem is the volume of e-mail in the workplace. Simon Church, vice-president of VeriSign, a security company, says: "In the general course of the day you get so much interaction from friends and colleagues, it could come from anywhere." Spam is still a vast problem. It is estimated that over 100bn spam e-mails are sent every day. But the number of targeted e-mail attacks is also rising at a phenomenal rate. Trend Micro, an internet security company, calculates that in 2005 there were on average two such attacks globally a week. That rose to over 1,000 a day by late 2007, and shows no signs of slowing down. Phishing attacks are often sent out in short bursts. On October 16, MessageLabs, the online security firm, intercepted 7,000 phishing attacks purporting to be from Bank of America in an attack that took place over two hours. The next day, the BofA phishing e-mails more than doubled to 15,000 and during the weekend reached a total of over 125,000. And that was only 16 per cent of all phishing for the weekend - a total of more than 780,000 e-mails. Some phishing attacks use the same principle as spam, which is a simple numbers game: send out as many as possible and the chances are some careless or confused people will give you their details. But the new trend, known as "spear phishing", is to target wealthy people using personalised e-mails. And if the target also has a high public profile, the attack is known as "whale phishing". A recent whale phishing target was the chief executive of one of the biggest banks in the US. Like many chief executives, his e-mail was handled by staff in the office. The message was convincing, as it had a document attached that related to a potential lawsuit. According to one of the senior executives at the bank: "The e-mail sent to the CEO was then forwarded to the legal department, and 15 people clicked on that link. The recipients did not think it would be malicious, as the e-mail came from someone they knew." Unbeknown to the recipients, opening the attached document in the e-mail installed a keystroke logger - a programme that records all the activity on a computer entered on the keyboard and sends it to a remote location where the attackers can analyse it, picking up passwords and other details. Fortunately, the bank had been warned of some sort of attack, and had put blocks in place to prevent the malware being installed. Another recent whale phishing attack was directed at the head of an internet security company. Dave DeWalt, chief executive of McAfee, received an e-mail that was so convincing that even he was nearly duped. "It was from my bank. They knew I was out of the country, they knew where I was, and it said my accounts had been suspended," he says. "It had some of my account information in it and asked me to re-authenticate myself. This was a highly sophisticated attack on me, and they may have called my office to find where I was." Mr DeWalt was too savvy to click on the link: "I thought straightaway that my bank would call over something like this rather than send an e-mail." But tracking down the owner of the website behind the e-mail proved too hard even for a security company as powerful as McAfee. The website IP address, commonly used to identify a site, changed over 1,000 times in the following week, making it almost untraceable. Stories of fraud and phishing have only increased the confusion over internet and banking security. When it was revealed that Nicolas Sarkozy, French president, had money stolen from his bank account in October, the French government launched an inquiry into how the account was hacked. Some articles reported that Mr Sarkozy had been a victim of a phishing attack, yet police reports suggested that the criminals did not know the identity of the president when they accessed his account, suggesting it was probably a direct debit fraud or similar activity. The response by the French government was to place the security spotlight on the bank. However, most internet fraud is prompted by people who fail to safeguard bank details or choose passwords that are easy to guess. Almost all banks now ask only for specific characters from passwords, not the password in full. And many use two forms of authentication - a phone call or text message as well as an e-mail. So how can people stay safe online? Mr Howard has a golden rule: "Never click on a link in an e-mail," he says. "Never ever ever. Not even if you know them." You have been warned. Copyright The Financial Times Limited 2008