Despite the dangers of phishing becoming increasingly predominant in the news, a new generation of phishing frauds are steadily wreaking havoc on businesses.
Heard about the scam where a fake email is sent to your account posing as your bank or credit card provider? So have most people; but the number of phishing emails (as this particular scam is known) continues to rise at a shocking rate. A copycat website opens as soon as one closes - so much so, that phishing now represents the biggest form of online identity theft.
Putting this into context, the Anti-Phishing Working Group (www.antiphishing.org), the industry resource for information on phishing and email fraud, reported over 1,900 unique phishing attacks in July alone, representing an increase of 19% on the previous month.
In its most basic form, phishing works by using spoofed e-mails and fraudulent web sites that appear to come from trusted institutions, such as e-commerce and financial sites, which are designed to dupe recipients into divulging confidential information – such as credit card details or online banking passwords.
The rapid development and sophistication of such attacks means the concept of phishing is now not limited to simply using email as the attack tool. There have been many cases citing web-browser hijacking, instant messaging and automatic pop-ups through to mediums such as fax, phone calls, and even regular post!
These "next-generation" attacks are using blended methods that use social engineering psychology (playing on people's fears and motivations) together with application and operating system vulnerabilities to run malicious code locally on users' PCs. Keyloggers can now be programmed with behaviour mechanisms to wait until users access real websites to start logging keystrokes, take screen captures and send them out. To make matters worse, this is all conducted invisibly, without users ever realising they have been victims of phishing, until they check their financial statements and receive an unpleasant surprise.
These new phishing attacks carry the potential of affecting far more people than the original recipient. For example, an employee working at home on their company laptop receiving a phishing email clicks on a link. When they bring their laptop back into the office, they could then infect other computers when the laptop is reconnected to the network. If a large number of employees are accessing their bank details online, this offers potentially massive spending power for hackers. It also could compromise a company's own finances and confidential information.
Seen in this light, phishing is a real security threat for businesses today and one that needs addressing quickly and efficiently. But the question is how?
Unfortunately, even guaranteeing that an organisation is up-to-date with the latest security patches is not enough to prevent an attack. Anti-spam software fails to offer a guaranteed method of protection, since the words and phrases used in the fake web address often appear to be from a normal bank and might escape through the filter. In addition, such software places an extra burden on the shoulders of the administrative team, since they need to undertake the cumbersome tasks of checking every URL entering the firewall and creating a database of those that contain harmful malware applications or viruses.
Additionally, traditional applications put the onus on employees to realise a security breach. With increasingly developed scams this process needs to be completely automated, notifying the network administrator to cut the threat off at the source.
As hackers continue to discover ways to bypass current email and spam filters, only a layered approach at the internet and desktop levels to block access to these deceptive phishing tactics will prove effective in this battle. This has the dual benefit of preventing employees from accessing counterfeit websites via phishing attacks and, failing this, protects the corporate network from becoming infected by another machine.
In a worst-case scenario, such applications will prevent malware from running, providing a vital window of opportunity for network administrators to send out security updates to other PCs and servers.
Companies need to enforce an internet usage policy that prevents the use of unauthorised applications from launching on the employee desktop. For example, if an email were to bypass spam filters and an employee tried to launch a fraudulent application, the enforced policy would recognise this request and terminate the application on the desktop before it can cause harm.
By blocking any unknown security threats and only allowing approved applications to run on corporate PCs and servers, this enables IT departments to customise policies based on existing user and group network definitions enabling a system that offers protection without restricting employee productivity.
All it takes is one employee to succumb to a phishing scam and all of a sudden confidential business passwords are in the hands of a hacker, putting at risk the intellectual capital of the business. Companies need to recognise that it is human nature to respond to a request from what appears to be a trusted recipient, even though it is actually a phishing scam, therefore companies need to take this onus away from employees and, as much as they can, block access to these dangerous sites.
As phishing scams develop in sophistication and style, companies should no longer rely on just their employees' vigilance to stop these attacks impacting business as well as compromising personal employee information. By automating the process as much as possible to keep up-to-date with new forms of phishing attacks, companies can simply 'mind their own business'.
Mark Murtagh is Technical Director EMEA at Websense.
