Phishing has emerged as the latest threat to the theft of personal information
over the Internet. This Glenbrook ActionMap(SM) briefing for financial
institutions examines the phishing threat, provides brief technology background
on how fraudsters are successfully perpetrating phishing frauds, and recommends
an ActionMap for institutions to consider for responding effectively to
these threats.
Phishing in Context
The term "phishing" itself comes from the metaphor of "fishing"
among the sea of Internet users for their personal passwords – with the
"ph" replacing the "f" to coin the term "phishing"
as a nod to the "phone phreaking" techniques used to attack
telephone systems in the early 1970s. In the mid-90s, fraudsters began
using techniques that would induce legitimate users into providing them
with their userid and password information for various Internet service
provider (ISP) services including AOL and others.
Today, fraudsters have more lucrative financial targets in their sights
– targeting major banks, online ecommerce sites, and payment services
such as PayPal for phishing attacks. Over the last six months, many of
the world’s major banks have had their customers hit with phishing attacks.
Practically all of the largest banks in the U.S. and the U.K. have been
hit by phishing, most of them have been hit multiple times. Financial
institutions are clearly the primary target for phishing attacks, since
the "obtainable" information is extremely valuable. "Bogus
e-mails that try to trick customers into giving out personal information
are the hottest, and most troubling, new scam on the Internet," said
Jana Monroe, Assistant Director of the FBI’s Cyber Division.
During December 2003, the rate of phishing attacks exploded with over
sixty unique attacks resulting in an estimated sixty million emails being
sent to unsuspecting users. Most of those emails purported to come from
financial services companies including Visa, PayPal, Citibank and others.
Once a fraudster is able to obtain a credit card number or a userid and
password from the legitimate user, the fraudster can use the access to
the account to pursue all manner of fraudulent activities – from moving
funds, changing the user’s account information to perpetrate identity
theft, etc.
Unlike virus attacks, phishers use techniques to trick legitimate users
into providing personal information that aren’t easily defended against
by existing user tools such as anti-virus software. As a result, phishers
are experiencing higher odds of success than with virus-based techniques.
Similarly to viruses, phishing is an evolving phenomenon, which fraudsters
will continue to evolve as they develop new techniques and methods in
reaction to potential solutions as they are introduced.
In addition, in the U.S. telephone-based attacks are also occurring although
these are obviously more expensive for attackers to mount. These attacks
impersonate bank staff by providing enough personal information to gain
credibility – and then seek specific additional personal information.
A recent example involves attackers calling cardholders and talking them
into providing the card verification value (CVV) from the signature panel
on the back of their cards as "verification". The attacker can
then use the CVV information to complete purchases at online sites that
are increasingly requesting that this information be provided.
Anecdotal industry information appears to indicate that currently about
five per cent of recipients of a phishing attack actually provide their
personal information. Many of the early phishing attacks had less than
perfect content – basic spelling and grammatical errors – which led recipients
to ignore them. As attackers get more sophisticated, their ability to
construct letter-perfect, email content is improving. With industry educational
efforts now underway, the percentage of users that fall for a phishing
attack hopefully will begin to drop.
With the high exposure to release of personal information that currently
exists, institutions whose online customers are clearly at risk have been
taking steps to ensure that their customers are as informed as possible
about the potential for phishing attacks and how best to deal with them.
Technical Background
Phishing is made possible by the relative ease with which email addresses
can be spoofed. As it turns out, the basic architecture of the Internet
email infrastructure doesn’t provide for any authentication of the sender’s
actual email account. As a result, it is trivially simple for a fraudster
to impersonate that a particular email is coming from a legitimate source
and tricking the receiving party into believing that the email should,
as a result, be trusted.
There are several ways to conduct phishing. Most phishing is done using
HTML-based email – which includes graphical images in addition to text
that makes it also appear as if the email has been sent from a legitimate
source. Once the recipient opens the email, company logos, subsets of
home page designs, and familiar language are all used by the fraudster
to construct within the body of the email a message which looks "perfect"
– in the sense that the recipient is led to believe that it must have
come from the legitimate source.
Embedded in the email will be a message intended to motivate the recipient
to click on a link to take action. Here’s a recent example of just such
an email:
From: "XYZ Bank"
Subject: Your account at XYZ Bank has been suspended.
Date: Tue, 20 Jan 2004 05:13:27 -0400 (EST)Dear XYZ Bank account holder,
We regret to inform you, that
we had to block your XYZ Bank account because we have been notified
that your account may have been compromised by outside parties.Our terms and conditions you
agreed to state that your account must always be under your control
or those you designate at all times. We have noticed some activity related
to your account that indicates that other parties may have access and
or control of your information in your account.These parties have in the past
been involved with money laundering, illegal drugs, terrorism and various
Federal Title 18 violations. In order that you may access your account
we must verify your identity by clicking on the link below.Please be aware that until
we can verify your identity no further access to your account will be
allowed and we will have no other liability for your account or any
transactions that may have occurred as a result of your failure to reactivate
your account as instructed below.Thank you for your time and
consideration in this matter.<Click here to verify
your identity>Before you reactivate your
account, all payments have been frozen, and you will not be able to
use your account in any way until we have verified your identity.
This particular email was sent out using many different bank names on
the subject line and within the text. Typically, the fraudster does not
have enough information to target actual bank customers – but, rather,
simply picks banks or other institutions with large enough user groups
such that the odds of finding an actual customer among a vast list of
email addresses is reasonably good.
The link included in this particular phishing email included a URL of
the following form:
http://www.xyzbank.com@xxx.yy.kr/index.htm
To an unsuspecting recipient, that link address probably looks just fine
– if they even bother to look at it carefully! However, links of this
kind (and there are several similar examples) actually result in the user
being taken to the site xxx.yy.kr (in Korea in this case). The fraudster
has essentially taken a copy of the bank’s actual home page "look
and feel", modified it ever so slightly and hosted it elsewhere.
The unsuspecting user will simply enter his username and password and
attempt to logon to the site to revalidate his identity as the email requested.
At that point, the fraudster’s Web site has captured everything he needs
– to now go to the bank’s actual Web site and impersonate the legitimate
bank customer. Sophisticated fraudsters provide a link that appears to
go to the bank’s real Web site from which a fraudulent pop-up window appears
prompting the user to enter personal information.
While embedded links of the kind outlined above are a serious threat,
more sophisticated fraudsters often resort to using embedded HTML forms
for their attacks. These are particularly of concern and the user is not
able to actually see the URL associated with the submit button included
in an HTML form email. As a result, it is more likely that the casual
user will be enticed by a form-based attack.
Once a bank is notified that legitimate customers are receiving these
kinds of emails, it can attempt to take action to get the fraudster’s
Web site shut down. However, these sites are often in out of the way places
where the authorities may be slow to respond. This provides the window
of opportunity that the fraudster needs to be able to capture enough personal
userid and password information to make the whole episode worth his while.
The process repeats over again with the fraudster trying a different
set of email addresses, slightly different and, if possible, even more
compelling email content.
To summarize, the core technical issues associated with phishing include:
- Internet email source (from) addresses are easily spoofed to make
it appear that email is coming from legitimate sources. - With carefully crafted email content that appears legitimate based
upon graphical images, familiar text, etc., users can be lured into
clicking on links embedded in emails which result in them being taken
to fraudster-operated Web sites where the legitimate user reveals personal
credit card or userid and password information to the fraudster. - For credit card attacks, the fraudster simply uses the credit card
information to make a purchase at an online Web site. For certain other
attacks, the institution accepts the subsequent logon by the fraudster
using their customer’s userid and password as validly having been entered
by the legitimate user, not the fraudster.
Fundamentally, this is all an issue of authentication – of the source
and content of emails. Unfortunately, today’s Internet doesn’t yet provide
widespread low cost availability of techniques that ensure such authentication.
Phishing Countermeasures
Successful phishing countermeasures to date have been based primarily
upon educating users to be careful in how they handle emails that appear
to be coming from legitimate sources. This education generally involves
providing assurance to the user that certain types of information will
not be requested of them via email and asking the user to pay especially
close attention to the content of any email that appears to ask for any
personal information.
Here’s an example of this kind of educational message as posted on one
bank’s Web site:
"xyzbank will never initiate a request for sensitive information
from you via email (i.e., Social Security Number, Personal ID, Password,
PIN or account number). If you receive an email that requests this type
of sensitive information, you should be suspicious of it. We strongly
suggest that you do not share your Personal ID, Password, PIN or account
number with anyone, under any circumstances."
To be effective, banks must ensure that they are sending a clear, concise
and consistent message to customers. For example, banks must not post
announcements claiming to "never prompt users to fill in forms in
an email" one day and then send out a solicitation for online bill
payment the following day, which includes a login form in the email.
Some banks also attempt to educate users how to examine URL’s included
in emails to ensure they are legitimate – although this is a more complicated
technical message to communicate to the general online user. Best practices
dictate that this communication occurs and is reinforced both online in
email and Web site information as well as in printed communication sent
to customers in monthly statements or other materials.
Many banks also include links on their home pages where users can report
suspicious emails having been received. Once institutions receive this
information, they can begin to take action to have any offending Web site
shut down.
Many banks today are working in the dark and must find new ways to become
aware of attacks as quickly as possible, examine the attack scope and
potential damages, and respond accordingly. Clearly a small attack would
not trigger the same response as a widespread attack. Banks need to make
educated decisions following awareness of an attack leading to an appropriate
response based upon the risk assessment. Institutions should not overreact
to isolated attacks and must avoid taking steps such as shutting down
the entire online banking site except when circumstances clearly warrant
such strong measures.
A cross-industry initiative, the Anti-Phishing Working Group(1)
(APWG) has recently been formed to share information about phishing attacks
and to collaborate on possible solutions. The U.S. Federal Trade Commission
has also begun a consumer education campaign on phishing(2).
More systematic approaches to monitoring for potential phishing attacks
are now being introduced. For example, several anti-spam vendors have
recently introduced new capabilities to better protect their clients from
receiving messages containing content (including URL’s) likely to be involved
in phishing attacks. These capabilities both protect an institution’s
internal users from phishing attacks and provide a potential early warning
when a new phishing attack is underway.
Netcraft(3), a Web server monitoring company based
in the U.K., has recently introduced a new "bank fraud detection"
service. Netcraft’s core competency is scanning Web servers to collect
data on the types of server software being used – with some 46 million
Web sites currently being scanned. Using the information gleaned from
those scans, Netcraft has introduced an additional service that examines
the content of those sites and looks for similarities to the content of
legitimate bank sites. In addition, Netcraft monitors domain name registrations
on a daily basis for names similar to legitimate site names to gain an
earlier awareness of names that may be used to build fraudulent sites.
While not eliminating potential fraudulent activities, services like Netcraft’s
should provide institutions with earlier awareness of potential fraudulent
activities. However, it’s important to note that some fraudsters only
"post" the spoofed Web site immediately prior to sending out
the phishing e-mails. In those cases, there would be a low likelihood
that such a scan would detect a spoofed Web site prior to the attack.
The use of digitally signed email is another approach some institutions
are considering. Vendors are developing solutions that would allow the
addition of digital signatures to all outgoing emails sent to customers.
Most (but not all) of the current desktop email clients are capable of
displaying an indication that a valid digital signature is included with
the message. With education, users would learn to look for this indication
and ignore emails without the signature indication. Another current shortcoming
of digitally signed email is that the existing Web-based email providers
(e.g., Hotmail, Yahoo, etc.) generally don’t provide support for digital
signature verification.
The Anti-Phishing Working Group is examining several potential preventative
solutions to minimize phishing attacks. These include strong Web site
authentication, mail server authentication, digitally signed email with
desktop verification, and digitally signed email with gateway verification.
Each of these potential preventative solutions has various pros and cons
associated with them that will require further analysis prior to adoption.
In addition to Netcraft, other vendors are beginning to provide products
that address various aspects of the phishing problem. For example, Cyota,
a New York-based provider of anti-fraud and security solutions for financial
institutions, has announced FraudAction, a managed service that provides
institutions with real-time alerts, risk assessment (such as notifying
the bank of the size, duration, geographic focus, quality and severity
of the attack) and various technical counter-measures designed to reduce
the damage of an attack while increasing the chances of catching the fraudster.
A new Silicon Valley-based company, PassMark Security(4),
has recently introduced a new capability that allows institutions to embed
a personalized image in outgoing emails and on their web site logon pages
to provide a higher level of assurance to the customer that the email
or web site is authentic and not a rogue. Customers are educated by PassMark-issuing
institutions and learn to never enter their password unless they first
see their PassMark. The PassMark approach has several advantages over
other phishing countermeasures including its straightforward ease of use,
no requirement for any client-side software to be installed, and the familiar
and reassuring nature of a personalized image in the form of the PassMark.
Action Plan
Given the rapid growth in phishing attacks that is now underway, Glenbrook
recommends that affected institutions consider the following action plan
to minimize phishing attack exposures to both their customers and to the
institution:
- Responsibility. Clearly define institution-wide responsibility
for dealing with phishing attacks. Consider establishing a cross-organization
"anti-phishing" task force – or "breach brigade"(5)
– that includes representatives from security, privacy, I/T, customer
service, human resources and product/service management. - Assessment. Many institutions need to initially complete an
internal assessment of their own use of outbound emails – before they
can properly assess the correct control procedures and customer information
awareness policies. It is not uncommon to learn that emails to customers
are being generated from multiple places within the institution. - Establish Email Policies. Institution-wide policies and practices
must be established regarding the specific form and content of all outbound
customer emails. This is critical to properly educating customers about
what to expect in emails received from the institution. - Awareness. Join the Anti-Phishing Working Group and utilize
the group’s member resources to become educated and aware of current
phishing attacks, potential countermeasures, sharing of threat information,
etc. - Education – Internal. Ensure all customer-facing personnel
are aware of the potential risks associated with phishing attacks, how
they work, and specific guidance to be provided to customers should
they inquire about an attack. - Education – Customers. Provide customers with printed and Web-based
information about phishing attacks including informing them of your
institution’s specific practices with respect to use of email, what
they can do to minimize their risk, and how they should report suspicious
email they receive. Consider removing all links from your customer email
– and educating customers that you’ve done so. Require them to come
back to your Web site directly – without clicking on a link embedded
in an email – to eliminate the rogue link opportunity for the fraudster.
Most importantly, be clear and consistent in all customer messaging
about the issue. - Security. Ensure that databases containing customer email address
information is suitably protected against potential abuse by fraudulent
employees or service providers. - Threat Monitoring. If not already underway, ensure that all
new domain name registrations are reviewed on a daily basis for names
similar to any of your institution’s trademarks or service names and
take appropriate action with registrars to have them invalidated. Consider
subscribing to a Web monitoring service that continuously scans Web
sites looking for content and images similar to that used on your institution’s
Web sites – with a particular focus on all pages where consumers may
login. Another early alert technique to new attacks is to ensure that
your corporate email is monitored for emails that bounce as fraudsters
may use one of your corporate domains as the from address in their phishing
attacks. - Incident Response. Prepare "what-if" scenarios in
advance. As they already do with many other potential risk scenarios,
banks should work out and test action plans in advance of an actual
attack rather than invent "on the fly." The reaction must
fit the potential risk of the attack – with a spectrum of potential
responses being defined and ready to go once an attack is underway and
the potential risk level has been assessed. - Increased Risk Management Focus. To attempt to catch fraudsters
who have successfully captured personal information, consider whether
there are certain behavioral patterns than can be monitored for on your
sites that would trigger a potential fraud alert and review. For example,
a first time wire transfer request or change of address followed by
certain other suspicious transactions. Review your use of outbound confirmation
emails to customers as a potential alert or confirmation mechanism for
their use. - Use of New Technologies. Consider the use of new technologies
– in particular, making use of PassMarks to secure all web logon pages
and all outbound emails to customers. Evaluate whether there is any
additional benefit over and above the use of PassMarks from also using
digital signatures on all outgoing customer emails. - Examine Industry-Wide Initiatives. There are opportunities
for institutions to share best practices and consolidated response strategies
for dealing with phishing attacks. For example, a best practice around
aggressively contacting ISP’s anywhere in the world to get a rogue site
shut down might best be coordinated on an industry-wide basis. Similarly,
incident reporting could be handled on a consolidated basis. Otherwise,
each institution must build its own incident reporting and response
capability – meaning each institution individually has to experience
its own learning curve in the process.
This action plan overview provides the initial basis for the development
of a comprehensive action plan that institutions need to implement to
secure themselves and their customers against phishing attacks.
Online merchants, who bear the liability for almost all online credit
card fraud, can expect to see an upsurge in attempts to use valid credit
card numbers obtained through phishing attacks. The usual countermeasures
(address verification, CVV, etc.) provide incomplete protection given
that the attack may have resulted in the legitimate cardholder also providing
that information to the fraudster. Visa and MasterCard have both introduced
payer authentication services that protect merchants from liability for
fraudulent transactions(6). Online merchants may want
to consider their plans to deploy these services if an uptick in fraud
is recognized. Unfortunately, months typically elapse before fraud is
identified by the legitimate cardholder so the ability to respond quickly
is difficult.
Conclusion
Phishing is just the latest in a long list of fraudster techniques that
attempt to gain access to personal information and financial resources.
By exploiting the combination of current technological weaknesses coupled
with a general lack of awareness by consumers, fraudsters are succeeding
at an alarming rate.
Institutions must begin now to implement their action plans to deal with
these attacks beginning first with education followed by increased risk
management attention and the deployment of new technologies to better
deal with these threats.
The new PassMark Security solution, in particular, seems worthy of a
close examination by financial institutions. PassMark allows them to begin
immediately taking proactive steps with both customers and employees to
raise the level of awareness and trust leading to significantly lower
risks from the current generation of phishing attacks.
Looking ahead, institutions must remain vigilant and attentive to how
the current phishing threats evolve. Criminal activity always goes through
this evolution as it seeks those points and institutions of greatest vulnerability.
References
[1] Anti-Phishing Working Group, see: http://www.antiphishing.org/
[2] FTC, see: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
[3] Netcraft, see: http://www.netcraft.com/
[4] PassMark Security, see: http://www.passmarksecurity.com/
[5] "Breach Brigade", see http://www.csoonline.com/read/020104/response.html
[6] See: http://www.visa.com/verified/
and http://www.mastercard.com/securecode/
for more information about these payer authentication services.
Acknowledgements
My partners at Glenbrook (Carol Coye Benson, Dennis Moser, Russ Jones,
and Allen Weinberg) made significant contributions to this paper. Bryan
Derman, Mark Goines and Bill Harris (both of PassMark Security), David
Jevans (Tumbleweed) and Naftali Bennett (Cyota) were also very helpful
in its preparation.
Publication History
Initial Publication Date: February 23, 2004
