Phishers Sink to New Lows

By Maria Trombly | Securities Industry News | April 10, 2006

They are the scourge of the Internet--anonymous armies of programmers who send out masses of spam, set up fake Web sites and take money from unwitting holders of online banking and brokerage accounts. In the bargain, they can turn personal computers into spam-manufacturing zombies.

The perpetrators--phishers--represent virtually all that can be bad about the Internet. In the face of increasingly sophisticated and effective countermeasures, phishing attacks get more brazen.

An analyst at Netcraft, a U.K. Internet security firm, in mid-March reported that phishing sites designed to look like JP Morgan Chase & Co.'s Chase Bank and asking for customer log-in information were actually hosted on servers belonging to China Construction Bank (CCB). The latter, a state-owned giant with 14,000 branches, denied the inference that it was engaged in wrongdoing--and it was surely not guilty-- yet the phishing e-mails directed recipients to Internet addresses assigned to CCB's Shanghai branch. It was "the first instance we have seen of one bank's infrastructure being used to attack another institution," says Netcraft analyst Rich Miller.

It was an outrage, to be sure, but typical of the breed. The illicit e-mails offered $20 for filling out a survey about the usability of Chase online banking. To claim the reward, users had to provide their ID or password--and were asked for their card number, personal identification number (PIN), card verification number, Social Security number and mother's maiden name.

The CCB scam could have been the work of clever hackers, disgruntled employees or just bad luck--phishers scan the Internet looking for unprotected computers, and they may just have found an opening where an update patch was out of date.

Their deep pockets make financial institutions favorite phishing targets. According to the Anti-Phishing Working Group, a global industry association with more than 2,000 members, financial services companies were the targets of 92 percent of all attacks in January, the last month for which figures are available. Although it's a high-tech offense, phishing preys on low-tech vulnerability--people's assumption that the messages are trustworthy and willingness to give up personal information, which phishers use to get into their accounts.

Plans and Strategies

Other recent advances in phishing technology include using multiple Web sites, so if one is shut down, another fills the breach. Phishers have also learned how to change the settings on victims' computers so that they will be directed to phishing sites whenever they type in their bank's or brokerage's address in their browsers--an attack known as DNS [domain name server] poisoning.

Phishers are also becoming more, well, businesslike, says Mark Lobel, a partner in PricewaterhouseCoopers' security practice in New York. "Phishers and hackers are really trying to organize themselves like businesses, to improve cash flow, to improve redundancy and to have business continuity plans," he says. For them, too, "downtime is money," notes Lobel. "And like in any other legal or illegal business, there is a risk associated with it. They try to put risk mitigation strategies in place."

If a financial institution manages to track a phishing attack to a "botnet"--a network of infected computers that have been surreptitiously programmed to spew spam--and effectively close it down, the hackers may just wait patiently for a couple of weeks, reregister their computers and reclaim the botnet. Meanwhile, new phishers keep springing up. "You cut off one net and another one--or more--appears," says Lobel. "Unfortunately, it's still profitable."

The growth in phishing is one of the reasons that the financial industry, encouraged by regulators, has become receptive to multifactor authentication techniques that employ a hardware token, fingerprint reader or other tools beyond simple user IDs, passwords and PINs. But some phishers are even figuring out ways to get around stronger authentication. Alex Shipp, a senior antivirus researcher at New York-based e-mail security company MessageLabs, has seen "Trojan horse" programs that hide in computers and, when owners log on, automatically grab their money. "We expect this kind of activity to become more prevalent as banks move to stronger forms of authentication," Shipp warns.

Firms implementing two-factor authentication must take such risks into account and not depend entirely on codes residing in the PC, says Scott Laliberte, head of operations for the global security practice at Protiviti, a Menlo Park, Calif.-based international risk-consulting firm. "Rely on server-side authentication," he recommends. "And pick a solution that's not easy to hijack."

"Mutual authentication"--the idea that financial institutions are also victims of phishing and need to shore up their defenses and authenticate their own virtual identities as well as those of clients--is part of the anti-phishing agenda of groups such as the Financial Services Technology Consortium (FSTC) and Bits, the technology arm of the Washington, D.C.-based Financial Services Roundtable.

FSTC executive director Dan Schutzer says that two-factor authentication for customers is part of the solution--assuming that the security industry adopts interoperability standards so as not to weigh people down with too many devices. But personal computer vendors, Internet service providers and browser companies have to build in security on their ends as well. "Phishing remedies include better and cleaner PCs and networks and better authentication techniques," says Schutzer. "We're studying the remedies and talking to the vendors, but we still have a way to go."