Filling Inboxes: Viruses, Spam, Phishing Scams

By Maria Trombly | Securities Industry News | February 2, 2004

February 2, 2004 - There are two kinds of e-mail problems brokerages will face in 2004. There are the ones with known, though not perfect, solutions--spam, viruses, those annoying misspelled e-mails to customers that ask for their account information.

They can be dealt with through education, with antivirus software, and with spam blockers.

Even when spammers set up fake login sites that look just like yours, you can warn your customers to check the addresses carefully before giving away login information, and you can act quickly to shut down the sites when they appear.

But recently, a new kind of spoofing attack has shown up, and there's no clear way to protect against it--yet.

Here's a typical scenario for what is known as "phishing". You're a customer of a major brokerage. You get an e-mail, with the same return address you're used to seeing from your brokerage. The e-mail tells you that your broker has a special offer for you, or that there's a new message waiting for you, or that your statement has arrived. It gives you a link to click on, which takes you to a real-looking URL.

But the e-mail is a fake, and the URL is a fake as well, showing one thing in your browser window but taking you some place else entirely.

Once you enter your log in information, you may even be shuttled back to your broker's real site, never knowing that your account has been compromised.

"There's been a huge rash of that recently," said Michael Overly, a partner in the e-business and information technology group at Foley & Lardner, a Milwaukee-based law firm. "And it looks official. We had an instance where we saw an e-mail that had been spoofed from a bank and sent to thousands and thousands of people, so that it hits some people who use that bank. It looks really realistic, professionally done. I would challenge the employees of that bank to tell that it didn't come from them."

When you combine spoofed e-mails and disguised Web sites, you hit the cutting edge of what you can protect against, Overly added.

"Someone recently took a well-known broker with lots of very sophisticated clients and set up a fake login site and was harvesting passwords and user IDs," he said. "The perpetrators were in a foreign country, which is relatively common. And no amount of end-user training would help-I get official offers all the time that take me directly to a Web site for a login."

Everybody Hurts
It's unrealistic to ask customers to ignore all communication that purports to come from your company, or to type in every URL themselves and manually navigate through to their special offers, new research reports or other destinations. Companies that have publicly acknowledged being hit by phishing attacks include U.S. Bank, Citibank, Lloyds and Barclays.

"I don't know of a large retail bank or brokerage that hasn't been attacked," said Scott Olechowski, VP of product strategy at PostX Corp., an e-mail security that counts ABN Amro, Charles Schwab & Co., and J.P. Morgan Chase among its customers.

The phishing problem escalated recently because of a newly discovered bug in Microsoft Explorer that allows URL truncation. That means that the URL displayed in the address bar looks exactly like that of the real Web site-but the actual address is something else entirely. The bug was discovered in December but still has not been fixed.

If Microsoft decides not to release the patch until its next security bulletin, users will have to wait until at least Feb. 10 for a solution.

"That's actually the biggest and scariest problem for companies that are sending out legitimate mail," said Matthew Prince, CEO at Unspam, an anti-spam consultancy. "It's a really difficult problem to solve. Hopefully, Microsoft will release a security patch to solve this problem."

Prince added that Microsoft is shielded from liability by the terms of their licenses. "But this is one of those issues where a court could say: You really should have fixed this a lot faster.'"

Meanwhile, one step that some financial firms are considering taking is supporting digitally signed e-mails. Since most consumer e-mail programs don't currently support digital signatures, this would require that customers download a special plug-in that does the job.

The way the plug-in will work is by monitoring all incoming e-mails. If an e-mail looks as though it comes from, say, Merrill Lynch, it will check to see if it's digitally signed by that brokerage. If the digital signature doesn't check out, users will be warned that the e-mail is a fake.

The plug-in will look at return addresses and the body of the e-mail itself for clues, said Olechowski. His company is working on developing this plug-in for a group of financial firms that is expected to be ready in the second quarter.

Like an antivirus program, the plug-in will update itself on a regular basis to stay current with the latest threats.

"We've heard off the record from some of our customers that they just feel completely helpless," he said. "We're totally focused on this and our biggest initiative this year will be to address this problem."

Lee Blackmore, director of IT at Stifel, Nicolaus & Co., said he will investigate both the regulatory and the digital signature approaches to solving the problem.

According to Blackmore, Stifel Nicolaus customers are routinely sent notices asking them, for example, to go online to check their statements. The Web site has a single sign-on, so that users who log in to see their virtual mailboxes can also do transactions.

"We also have a bill pay that sits up there that we pass along through an encrypted code," he said. That means that someone who steals login information could even write checks out of the account.

"I think a plug-in would probably be a good way to control it," he added. "I will check out all the options, everything I can do to ensure our clients' security."

Coming Up Spam
Spam isn't just a problem for customers, of course. Brokerage employees are also getting hit with both innocuous and dangerous e-mails.

In a recent survey by NetIQ Corp., spam costs the average business more than $2.5 million a year in productivity, bandwidth, storage and support issues. And half of the respondents haven't installed anti-spam solutions for fear of false positives, NetIQ reports.

The issue of false positives is particularly important for brokerages because customer e-mails need to get through to their brokers in a timely fashion.

Foley & Lardner's Overly says that Wall Street firms should take a three-pronged approach to combating spam: educate employees, install anti-spam software and set local security settings.

"You can use security settings on individual computers that will prevent ActiveX [computer programs] from starting, or that will not allow a random program to access the Outlook contacts list," he said.

Meanwhile, spam rates continue to skyrocket. Despite new state and federal anti-spam laws, spam volume is expected to jump 10 percent, to 8.5 billion daily messages, this year from 2003, according to IDC research. In 2003, spam grew 68 percent vs. 2002.

Today, spam comprises 75 percent to 85 percent of all e-mails, said Andrew Lochart, director of product marketing at Postini. Postini diverts e-mail traffic destined for Wall Street firms, strips out the spam and forwards on only the good e-mails. It counts Merrill Lynch and AmSouth Bank among its 150 financial services customers.

"At Merrill Lynch, we're protecting between 50,000 and 70,000 users," said Lochart. "We're forwarding only 10 to 20 percent of the traffic that their servers would otherwise have to handle."

Spam e-mails aren't the only traffic that gets blocked, he added. Some messages, for example, aren't addressed to real employees. E-mail is cheap enough that spammers can send a message to every conceivable e-mail address at a company. Although these messages won't clog up employees' mailboxes, they will cause trouble for a company's servers.

Proactive Stance
But filters aren't enough, say securities industry executives.

"We spend too much time addressing our spam issues," said Archipelago CTO Steve Rubinow. "We're tuning our filters, responding to people saying we got the algorithm wrong and blocking important e-mails on the one hand, and on the other hand getting Viagra ads. The fact that we have to spend time doing it, is certainly not a productive use of our time."

Rubinow said that he supports legislation that would identify mass-produced commercial e-mail so that it could be easily filtered out.

Stifel Nicolaus' Blackmore has announced a policy that employees aren't allowed to give out corporate e-mail addresses for non work-related purposes.

"But they do it anyway," he said. "If they're a big enough trader, they don't care where they go. They're e-mailing all kinds of people and it just creates headaches for us."

On a typical Monday morning, he said, his MailSweeper program catches between 30,000 and 35,000 pieces of spam.

"Then we have to go through all of them and make sure that it didn't have to go to somebody," he said.

It's a big headache, he says, almost as big a problem as on the compliance side, where two full-time employees do nothing but read e-mails all day.

"We review 10 percent of incoming and 10 percent of outgoing e-mails and most of the time, everything they look at is something on a joke list, or a letter to friends," he said. "I pity the people in compliance."