From phishing scams to pharming

(28/11/2008)

Recent press abounds with new, ‘innovative’ spam and phishing attacks. For years it was just email that organisations had to fear, but this has changed rapidly with attacks now appearing from all directions. Instant messaging, message boards, blogs and, of course, social networks are now all prime spam and phishing waters.

In November, for example, the press recognised the true scale of Facebook as a phishing medium and the increasing number of users being targeted through hijacked accounts. With more of these communication media being used within the workplace on a daily basis it’s important that companies wise-up to the messaging threat and do it fast.

But where are these attacks coming from and why are they growing so rapidly? It takes a lot of effort to produce these types of messages, but there are still so many out there, so it is obviously worth the effort. The reputationauthority.org tracked over 15 billion individual message threats last month alone. Spamming and phishing have now become multi-billion dollar industries.

Indeed, the scale of illegitimate business opportunities presented by spam has now ensured that over 75 percent of all emails created are now unwanted by recipients. According to US analyst firm Gartner, 3.6 million US citizens were victims of phishing scams in 2007 resulting in 3.2 billion dollars being lost. This is an increase of over 50 percent from 2006 and the UK will not be far behind.

The evolution of messaging threats has been a long, drawn-out, white knuckle ride of the worst kind. From the first spam message, way back in 1978, to the latest underhanded phishing attacks, the ride has been painful and costly for many organisations and individuals. Over the years the tricks and exploits of spammers have continually morphed and evolved to sidestep security systems. Likewise, security gurus have moved to counteract them in an interminable game of internet cat and mouse. But what are the current biggest risks presented by malicious messaging, and what can be done to protect an organisation from the deluge of emails received by organisations on a daily basis.

The first spam message ever was reported to be sent from DEC to promote its new computer to the ARPANET community. Since then spam and consequently phishing has evolved at a rapid rate, moving onto HTML and image-based emails to create more ‘attractive’ and more believable malicious emails.

In tandem, security methods have developed and improved to meet the ever increasing spam challenge. Textual analysis, weighted word lists, frequency analyses, and more recently innovative IP reputation systems continue to fight a stealth war for the nation’s inboxes.

So just when it seemed all possible avenues had been exploited by spammers, a deluge of new malicious messaging possibilities have appeared. The ongoing change in the way people communicate, the use of instant messaging, social networks, Web 2.0 tools (Flickr, Twitter, Blogs) and various types of mobile devices present almost infinite new possibilities for both spamming and phishing. With the increasing use of new communication channels by staff, it is essential that the modern organisation be appraised of the current threats and what they must to do protect themselves. Some of the current big dangers include:

• Web 2.0 attacks are very similar to the normal phishing scams; either an email or a post on an account tries to entice the user to click on a link. This will lead to a fake site with a log-in. Now the attacker has the log in information they can use the name of the user and account details to virally propagate the attack. Friends will receive a ‘legitimate’ message from the user which is usually much more believable than an unsolicited spam message. Users of these sites can easily be duped as messages are perceived in a trusting way. Also, the information to be found within a social network can lead on to further and more costly identity theft for the user and their friends.

• ‘Pharming’ is a method by which someone types a valid address into a browser and is directed to the wrong site. This is done through ‘malware’ delivered to a computer through email, IM, bad applications and the like. This malicious programme misdirects users to fraudulent websites without their knowledge. In pharming, larger numbers of computer users can be compromised easily through group attacks. Also no actual persuasion is needed in the form of a spam email making conning people much easier.

• Another pharming tactic is known as domain name system poisoning (DNS Poisoning), in which it is an ISP’s server that is modified meaning that users can be redirected to malicious sites without ever rousing suspicion. The danger in this case is that the problem cannot be fixed locally using spyware removal tools. The method is a great money spinner for phishers if they have the technical skill to set it up. Millions of website requests may be routed through the same server each day making revenues potentially massive.

With the huge volume of attacks happening every day and the multitude of different tactics used by spammers, the onus is clearly on individuals and organisations to protect themselves. Organisations must make sure that good firewalls, anti-spyware, anti-virus software are installed. They must also make sure that staff become more savvy about what is out there and wise up to the new and evolving techniques being used by malicious messengers and keep up to date on the latest big threats.

Unfortunately the number of attacks is growing and increasingly being targeted at specific organisations or groups of individuals (Abbey, Alliance Leicester, Bank of Scotland etc). Spam used to be a blanket approach of spreading marketing messages, today spam is that and much much more.

The possibility of staff being targeted increases day by day and organisations must react appropriately. Companies shouldn’t start banning employees from Web 2.0 or implementing draconian messaging security policies, they must simply be as prepared as possible when it comes to security.

Related topics:  Application and software security   Computer and PC Security   Data management and data security   Internet and Web security   Knowledgebase   Security threats and vulnerabilities   Virus, Worm, Email security, spyware and malware 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources