How fraudsters found bigger phish to fry
By Rob Minto 

Published: November 11 2008 23:01 | Last updated: November 11 2008 23:01

If you thought spam was a problem, things are only set to get worse with 
phishing. Most e-mail users are used to spam - the irritating unsolicited 
e-mail trying to sell you something. It is easy to spot. But phishing, a form 
of fraudulent spam that attempts to get account information from individuals or 
install malicious programmes on their machines, is becoming smarter.

For one thing, phishing e-mails have become slicker and more personalised. 
Richard Howard, director of intelligence at iDefense, a security intelligence 
company, says: "This is a trend change, from global to targeted. It is now 
senior executives in major financial institutions. And the bad guys aren't just 
after retail accounts but big commercial accounts. An e-mail asks you to go to 
a specific web page, and once you are there, they own you."

The programming behind the e-mails is also becoming more sophisticated. 
According to Rik Ferguson, senior security adviser at TrendMicro: "This isn't 
bedroom coders any more - it's a mainstream business." A new malware (malicious 
software) programme is created every six seconds and, once installed, they are 
getting harder to detect.

Part of the problem is the volume of e-mail in the workplace. Simon Church, 
vice-president of VeriSign, a security company, says: "In the general course of 
the day you get so much interaction from friends and colleagues, it could come 
from anywhere."

Spam is still a vast problem. It is estimated that over 100bn spam e-mails are 
sent every day. But the number of targeted e-mail attacks is also rising at a 
phenomenal rate. Trend Micro, an internet security company, calculates that in 
2005 there were on average two such attacks globally a week. That rose to over 
1,000 a day by late 2007, and shows no signs of slowing down.

Phishing attacks are often sent out in short bursts. On October 16, 
MessageLabs, the online security firm, intercepted 7,000 phishing attacks 
purporting to be from Bank of America in an attack that took place over two 
hours. The next day, the BofA phishing e-mails more than doubled to 15,000 and 
during the weekend reached a total of over 125,000. And that was only 16 per 
cent of all phishing for the weekend - a total of more than 780,000 e-mails.

Some phishing attacks use the same principle as spam, which is a simple numbers 
game: send out as many as possible and the chances are some careless or 
confused people will give you their details. But the new trend, known as "spear 
phishing", is to target wealthy people using personalised e-mails. And if the 
target also has a high public profile, the attack is known as "whale phishing".

A recent whale phishing target was the chief executive of one of the biggest 
banks in the US. Like many chief executives, his e-mail was handled by staff in 
the office. The message was convincing, as it had a document attached that 
related to a potential lawsuit. According to one of the senior executives at 
the bank: "The e-mail sent to the CEO was then forwarded to the legal 
department, and 15 people clicked on that link. The recipients did not think it 
would be malicious, as the e-mail came from someone they knew."

Unbeknown to the recipients, opening the attached document in the e-mail 
installed a keystroke logger - a programme that records all the activity on a 
computer entered on the keyboard and sends it to a remote location where the 
attackers can analyse it, picking up passwords and other details. Fortunately, 
the bank had been warned of some sort of attack, and had put blocks in place to 
prevent the malware being installed.

Another recent whale phishing attack was directed at the head of an internet 
security company. Dave DeWalt, chief executive of McAfee, received an e-mail 
that was so convincing that even he was nearly duped. 

"It was from my bank. They knew I was out of the country, they knew where I 
was, and it said my accounts had been suspended," he says. "It had some of my 
account information in it and asked me to re-authenticate myself. This was a 
highly sophisticated attack on me, and they may have called my office to find 
where I was."

Mr DeWalt was too savvy to click on the link: "I thought straightaway that my 
bank would call over something like this rather than send an e-mail." But 
tracking down the owner of the website behind the e-mail proved too hard even 
for a security company as powerful as McAfee. The website IP address, commonly 
used to identify a site, changed over 1,000 times in the following week, making 
it almost untraceable.

Stories of fraud and phishing have only increased the confusion over internet 
and banking security. 

When it was revealed that Nicolas Sarkozy, French president, had money stolen 
from his bank account in October, the French government launched an inquiry 
into how the account was hacked. Some articles reported that Mr Sarkozy had 
been a victim of a phishing attack, yet police reports suggested that the 
criminals did not know the identity of the president when they accessed his 
account, suggesting it was probably a direct debit fraud or similar activity.

The response by the French government was to place the security spotlight on 
the bank. However, most internet fraud is prompted by people who fail to 
safeguard bank details or choose passwords that are easy to guess.

Almost all banks now ask only for specific characters from passwords, not the 
password in full. And many use two forms of authentication - a phone call or 
text message as well as an e-mail. 

So how can people stay safe online? Mr Howard has a golden rule: "Never click 
on a link in an e-mail," he says. "Never ever ever. Not even if you know them." 

You have been warned.

Copyright The Financial Times Limited 2008

Kirim email ke