How fraudsters found bigger phish to fry
By Rob Minto
Published: November 11 2008 23:01 | Last updated: November 11 2008 23:01
If you thought spam was a problem, things are only set to get worse with
phishing. Most e-mail users are used to spam - the irritating unsolicited
e-mail trying to sell you something. It is easy to spot. But phishing, a form
of fraudulent spam that attempts to get account information from individuals or
install malicious programmes on their machines, is becoming smarter.
For one thing, phishing e-mails have become slicker and more personalised.
Richard Howard, director of intelligence at iDefense, a security intelligence
company, says: "This is a trend change, from global to targeted. It is now
senior executives in major financial institutions. And the bad guys aren't just
after retail accounts but big commercial accounts. An e-mail asks you to go to
a specific web page, and once you are there, they own you."
The programming behind the e-mails is also becoming more sophisticated.
According to Rik Ferguson, senior security adviser at TrendMicro: "This isn't
bedroom coders any more - it's a mainstream business." A new malware (malicious
software) programme is created every six seconds and, once installed, they are
getting harder to detect.
Part of the problem is the volume of e-mail in the workplace. Simon Church,
vice-president of VeriSign, a security company, says: "In the general course of
the day you get so much interaction from friends and colleagues, it could come
Spam is still a vast problem. It is estimated that over 100bn spam e-mails are
sent every day. But the number of targeted e-mail attacks is also rising at a
phenomenal rate. Trend Micro, an internet security company, calculates that in
2005 there were on average two such attacks globally a week. That rose to over
1,000 a day by late 2007, and shows no signs of slowing down.
Phishing attacks are often sent out in short bursts. On October 16,
MessageLabs, the online security firm, intercepted 7,000 phishing attacks
purporting to be from Bank of America in an attack that took place over two
hours. The next day, the BofA phishing e-mails more than doubled to 15,000 and
during the weekend reached a total of over 125,000. And that was only 16 per
cent of all phishing for the weekend - a total of more than 780,000 e-mails.
Some phishing attacks use the same principle as spam, which is a simple numbers
game: send out as many as possible and the chances are some careless or
confused people will give you their details. But the new trend, known as "spear
phishing", is to target wealthy people using personalised e-mails. And if the
target also has a high public profile, the attack is known as "whale phishing".
A recent whale phishing target was the chief executive of one of the biggest
banks in the US. Like many chief executives, his e-mail was handled by staff in
the office. The message was convincing, as it had a document attached that
related to a potential lawsuit. According to one of the senior executives at
the bank: "The e-mail sent to the CEO was then forwarded to the legal
department, and 15 people clicked on that link. The recipients did not think it
would be malicious, as the e-mail came from someone they knew."
Unbeknown to the recipients, opening the attached document in the e-mail
installed a keystroke logger - a programme that records all the activity on a
computer entered on the keyboard and sends it to a remote location where the
attackers can analyse it, picking up passwords and other details. Fortunately,
the bank had been warned of some sort of attack, and had put blocks in place to
prevent the malware being installed.
Another recent whale phishing attack was directed at the head of an internet
security company. Dave DeWalt, chief executive of McAfee, received an e-mail
that was so convincing that even he was nearly duped.
"It was from my bank. They knew I was out of the country, they knew where I
was, and it said my accounts had been suspended," he says. "It had some of my
account information in it and asked me to re-authenticate myself. This was a
highly sophisticated attack on me, and they may have called my office to find
where I was."
Mr DeWalt was too savvy to click on the link: "I thought straightaway that my
bank would call over something like this rather than send an e-mail." But
tracking down the owner of the website behind the e-mail proved too hard even
for a security company as powerful as McAfee. The website IP address, commonly
used to identify a site, changed over 1,000 times in the following week, making
it almost untraceable.
Stories of fraud and phishing have only increased the confusion over internet
and banking security.
When it was revealed that Nicolas Sarkozy, French president, had money stolen
from his bank account in October, the French government launched an inquiry
into how the account was hacked. Some articles reported that Mr Sarkozy had
been a victim of a phishing attack, yet police reports suggested that the
criminals did not know the identity of the president when they accessed his
account, suggesting it was probably a direct debit fraud or similar activity.
The response by the French government was to place the security spotlight on
the bank. However, most internet fraud is prompted by people who fail to
safeguard bank details or choose passwords that are easy to guess.
Almost all banks now ask only for specific characters from passwords, not the
password in full. And many use two forms of authentication - a phone call or
text message as well as an e-mail.
So how can people stay safe online? Mr Howard has a golden rule: "Never click
on a link in an e-mail," he says. "Never ever ever. Not even if you know them."
You have been warned.
Copyright The Financial Times Limited 2008