Info Security Products Guide - BlackSpider

Phishing is as lucrative as it is prolific. According to the latest official figures from UK payments body, APACS, phishing scams and Trojan keystroke loggers were behind UK online bank fraud totalling £12m in 2004.

It comes as no surprise, then, that the Anti-Phishing Working Group reports the number of phishing emails has increased by 4,000 percent since December 2003; while email security firm, BlackSpider Technologies, estimates that nearly 7 million phishing emails have been sent across the UK in the last month alone.

So, how are phishers relieving us of our savings? And, moreover, what is being done doing to counter the burgeoning threat?

As with all virus writers, the methods adopted by phishers are becoming increasingly sophisticated. There are essentially three ways that phishers perpetrate their scams. The first and most common method is social engineering, duping recipients into divulging their login names and passwords. Typically, this is done by encouraging users to click on a link in a bogus email which takes them to a fraudulent website that mimics that of their own bank.

When creating a false environment, phishers will typically forge an email purporting to be from your bank, asking you to re-register or re-confirm personal details. For example: ‘We apologise for service being down over the weekend. Normal service is now resumed. Please re-confirm your details’. They can redirect you to a URL that looks as though it's that of your bank; and t he phisher’s attention to detail can mean these fake websites are incredibly realistic.

The second method is to use Trojans, which are planted on the recipient’s computer, and operate by either capturing keystrokes or taking screen shots of targeted areas of the bank’s security page. With the user’s passwords and personal information unwittingly revealed, the phisher is free to empty the account.

Gaining access to passwords on banks using variable password entry is harder, but not impossible. If the Trojan sits on a PC for a period of time, and you use your online bank regularly, it is possible for the phisher to work out the combination of letters and therefore your password.

The final method is a ‘Man in the Middle’ attack, whereby phishers do not even need to capture logon details, but instead act as a tunnel between the user and the real bank website, communicating data between the two. When a user is logged on, so is the phisher, who can stay logged on after the real user has left the site. They can then transfer money at whim.

The pervasive nature of email, coupled with developments in technology, means that phishing is a serious issue for businesses, too. The proliferation of the mobile worker represents to the phisher an expansive route to confidential, and potentially lucrative, business information. If an employee, working from home, clicks on a link in a phishing email, the phisher’s malware could propagate when the infected laptop is later connected to the corporate network.

With banks currently picking up the tab for most phishing scams, it is curious that they continue to compound the problem, using online systems that conflict with the advice they are giving to their customers. For example, despite warnings not to break the golden rule of clicking on links in emails, some banks are asking their customers to do just that: Egg still sends out a monthly statement to customers that includes a link to their secure login.

However, there are measures that banks can implement to thwart the phishers. The effect of Trojans can be curbed by using a mixture of randomised letters and numbers for customers’ password login; and by using drop-down boxes for field entry, making it much more difficult for phishers to ‘read’ passwords.

‘Man in the Middle’ attacks can be countered by limiting log-on time; and by 'Intrusion Detection', a system that monitors the IP addresses that connect to their website to identify those that connect most frequently. ‘Man in the Middle' attacks cannot currently be prevented entirely by any security measures, but they can, to an extent, be mitigated by the Intrusion Detection approach.

The most cost-effective and reasonably secure way for banks to allow their customers to access their accounts online is to use multiple passwords, or a PIN followed by a password. At least one of these should not be requested in full, (i.e. 'please enter letters 2 and 5 of your password’) and they should be entered via a drop down box. Barclays and Lloyds are both good examples of banks which do this. Banks should also ask for a combination of letters and numbers in a password - this makes it much harder for keystroke Trojans to work out the password.

The ideal solution to the problem is 'two-factor' authentication. For example, the user has a password or pin, together with a random number generated by a token, such as a small key fob or credit card sized device, which changes approximately every 30 seconds. The random number is synchronized with the server you are logging into. Both passwords are required for authentication, meaning if you lose the key fob, it can't be used without your pin and vice versa. They foil key-loggers because although the phisher can steal your password, he/she will only have the random number generated the last time you logged on, not the most recently updated number.

For banks, however, the expense of issuing its customers with the key fob, and replacing lost or broken ones, is likely to prove too costly. A cheaper alternative would be to issue the random number via another medium, such as SMS, each time the user logs on.

There is no single solution to the growing problem of phishing. Filtering techniques and legislation go some way to limiting the damage, but the most effective weapon against phishers is educating PC users and online customers, for which banks have a responsibility to take an active role.

John Cheney, CEO of email security company, BlackSpider Technologies, looks at the problem and what can be done to limit its effects.