Phishing: When is a login not a login?

If you are in the business of hosting a platform that requires users to login and supply personal information your biggest challenge is reacting to attacks that use your branding as bait. Helping your users identify your legitimate platform using certificates and enhanced authentication protocols is essential.

Phishing is not new. The first phishing attack we recognise as the ground breaker was in 1996, although the concept for this type of attack had been documented for around eight years beforehand. Today Phishing attacks are a ubiquitous part of the Internet and obviously a healthy source of user credentials, and income, for the criminals that leverage them.

Getting a user's credentials is always a good day at the office in the criminal underworld of phishing. I really do mean "at the office" too, many of the gangs that use phishing attacks are setup like small businesses with offices, water coolers and summer outings. That shouldn't be a surprise when you think how successful this type of attack can be, and how much 'revenue' can be generated in one hit. A particularly large haul netted $1.5 Million in 2009.

The primary target for Phishing attacks has always been credentials for financial sites. Take PayPal as an example; over 100 Million active accounts, a high liquidity, bank and credit card details instantly available and money can be sent to another email address with little authentication. But, PayPal is no longer enough and almost every site that contains personal or financial information has been a target, even the IRS has been used as bait.

It used to be easy to spot Phishing attacks directed at PayPal users, the URL would point to Paypol or similar and the writing style of the email made it obvious the sender wasn't a native English speaker. However, today's attacks are much slicker, very well crafted and often convincing enough. Often the URL is manipulated to make the reader think they are visiting one site - http://www.google.com - when in fact are directed to another. Look-a-like website forgery is used too, creating an identical copy of a website at a near accurate URL - www.yourbank.attacker.com. As I said--"convincing enough."

More worryingly, businesses have had to respond to the challenge of directed attacks, known as Spear Phishing, and Puddle Phishing, whereby the attacker is choosing a specific organization to target. Any site with a login prompt of value is now a target, especially if the same login credentials can be used at other sites.

The risk to an organization from a Spear Phishing attack is significantly greater because corporate intellectual property could be at risk, as well as long term access to internal systems if the attack goes undetected. It is this administrators fear the most; and the idea that underpins the Advanced Persistent Threat (APT), persistent because we haven't detected the intruder yet.

Protecting your business against phishing means using a variety of tactics. Good perimeter security combined with up to date browser and desktop security apps is a given. Educating your users to double check URLs before they click on them adds a smart social protection too. Remember too that no one is beyond the reach of these attacks - there is a form of phishing called Whaling that seeks to target all but high-level or C-suite executives. Educating those users might be a challenge now, but much less of a problem than cleaning up after an exploitation. End user training and awareness is now big business, both commercially and DIY.

We can all help too, if you stumble across an odd looking website, verify it or submit it to a service like PhishTank. Stay safe out there.

FILED IN