Near my home is a medium-sized river that's a popular fishing spot. Small boats are fairly common on the river, but most of the hopeful anglers stand in the river in hip waders, trying to catch pike or walleye. Unfortunately, fishermen aren't the only people dangling bait these days. A growing number of criminals are sending out fake email messages in a process known as phishing.
The Anti-Phishing Working Group (APWG--http://www.antiphishing.org ) has a succinct definition of phishing that's worth citing: "Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' emails to lead consumers to counterfeit Web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords, and social security numbers. Hijacking brand names of banks, e-retailers, and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning."
I'm amazed that any user would actually fall for an email message that says, "Your account's been compromised, so please log in." But people do fall for these schemes--and in record numbers. "Information Week" estimates that between 3 percent and 5 percent of users who receive a phishing email message actually go to the bogus Web site and provide at least some personal information. Estimates of the financial losses these attacks cause are hard to come by, but late last month the US Federal Trade Commission (FTC) settled with Zachary Hill, a Texas phisher who bilked about 400 people out of a total of more than $125,000. The APWG estimates that in February 2005 more than 2600 active phishing sites (with an average lifetime of 5 days per site) were in use.
You can apply a variety of phishing countermeasures, and more are on the way. The biggest hope probably lies in the Sender Policy Framework (SPF) standard and Microsoft's Sender ID (see "Sender ID: Back From the Grave" at http://www.windowsitpro.com/article/articleid/44353/44353.html ), which provides verification that the actual sender of a message matches the domain that the message claims to be from. Microsoft is committed to introducing support for Sender ID in Exchange 2003 Service Pack 2 (SP2), a move that will undoubtedly speed its adoption.
In the meantime, several antispam vendors have introduced antiphishing features in their products. Barracuda Networks, Tumbleweed Communications, and other vendors use systems that rely on user reports of phishing messages to mark similar messages as phish-y; filters that use techniques such as Spam URL Realtime Block Lists (SURBL) to mark messages that contain "bad" URLs might also help catch such messages.
Ultimately, the most significant countermeasure is educating your users--and friends, relatives, neighbors, and other people to whom you provide ad hoc advice or technical support--about these messages. The majority of phishing messages claim to be from only five or six companies, such as eBay, Citibank, PayPal, and Wells Fargo, that never send out security notifications via email. Apart from the financial losses, the recent tendency of phishing sites to install crimeware on users' computers poses a worrisome long-term threat because infected home machines might not be detected for some time, and those machines can introduce problems into your corporate network.
On an unrelated note, the ballot for Windows IT Pro's annual Readers' Choice awards is now live. Here's your chance to reward companies that provide excellent products and the best overall services. The September 2005 issue of Windows IT Pro will feature the winners. Click here to vote:
Free Online Event! Virtualization:Get the Facts! Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!
Ease Your Scripting Pains with the Flexibility of PowerShell! Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!
Latest Advancements in SSL Technology There are a variety of different kinds of SSL to explore to ensure customer data is kept confidential and secure. In this paper, we will discuss some of these SSL advances to help you decide which would be best for your organization.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Maximize Your SharePoint Investment: Get Your Data Moving Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Register
