Online fraud: an update

From simple attempts at social engineering to 'phishing' to 'pharming' to 'spear phishing,' fraudsters have proven especially resourceful at modifying their behavior. The result has been a shift in the threat landscape. As the latest Symantec Internet Security Threat Report observed, attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets.

'Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud.' ('Symantec Internet Security Threat Report Vol. VIII,' September 2005)

This article looks at the most significant online threats and the steps organizations can take to stop them.

The evolution of phishing

One of the more worrisome findings of the latest Threat Report concerns the continued increase in phishing attacks. Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. Consider these statistics:


• In the first six months of 2005, Symantec blocked 1.04 billion phishing attacks, compared to 546 million in the last six months of 2004, a 90% increase in messages blocked.


• Between January 1 and June 30, 2005, the volume of phishing messages grew from an average of 2.99 million messages a day to 5.70 million.


• One out of every 125 email messages scanned by the Symantec Brightmail AntiSpam solution was a phishing attempt, an increase of 100% from the last half of 2004.

These figures are borne out by the latest report from the Anti-Phishing Working Group. In August, the APWG detected 5,259 unique phishing Web sites, the highest number ever. The APWG surmised this may reflect an increasing tendency of phishers to target a diverse group of smaller brands, as well as 'an increased use of multiple sites to host a single attack, in order to increase their resiliency to takedown efforts.'

While the financial services sector continues to be the most targeted industry sector (accounting for nearly 85% of all attacks in August), the APWG said it is now seeing a number of new targets, including insurance companies, credit unions, payment services, and even an ATM network (such attacks are commonly referred to as 'puddle phishing'). The APWG said it is also finding an increase in the number of reported attacks against European financial institutions and ISPs. More attacks against customers of Canadian institutions are being reported as well.

A dramatic rise in malicious code

As disturbing as the rise in phishing attacks has been what the Threat Report calls the 'massive increase' in malicious code. Over the first half of 2005, Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the 7,360 documented in the second half of 2004. (It's also an increase of 142% over the 4,496 documented in the first half of 2004.) The increase is primarily due to the rise of Win32 variants that implement bot features -- such as remote access through IRC channels and denial of service capabilities -- that attackers now use for financial gain. For instance, use of the Spybot, Gaobot, and Randex bots has risen dramatically because their source code is available to the public. And as the Threat Report puts it: 'The number of new variants is all the more remarkable considering that the number of existing families has not changed appreciably over the past four reporting periods. The increase in variants is problematic for organizations because each one represents a new threat against which administrators must secure their systems and for which antivirus providers must develop and provide updates.'

Methods of mitigating online fraud

Symantec believes that any solution aiming to mitigate online fraud must be multi-pronged. Symantec's solution includes the following components:


• An email fraud detection, filtering, and alerting network


• Online customer education


• A desktop security assessment capability for customers of financial institutions


• An infrastructure and means for financial services customers to acquire the products and services needed to improve their level of protection


• Consulting and assessment services

The fraud detection network detects and blocks fraudulent email before it reaches customers. In parallel, an online destination - co-branded with individual financial institutions - enables customers to better understand security-related and fraud avoidance issues, test their exposure to online threats, and identify and address their security needs.

A key component of Symantec's approach involves intercepting fraudulent email before it reaches the mailbox of potential victims. Using this approach, damage and costs can be minimized. Specifically, Symantec's probe network of 2 million decoy email accounts attracts fraudulent email. The network then monitors the Internet for fraudulent email that targets the customers of businesses enrolled in this service. At a Symantec operations center, 25 million email messages per day are received and analyzed. Researchers at the center research and validate possible fraudulent email attacks. Unlike spam, fraud attacks can be difficult to detect without expert inspection and detection algorithms. Symantec uses both human experts and technological means to identify fraud attacks at their earliest stages.

Once the fraud attack is identified, anti-fraud rules in the form of continually updated anti-fraud filters that block fraudulent messages are deployed. When attacks that target specific brands are detected, immediate alerts are sent to pre-designated personnel, enabling the institution to set in motion incident response procedures such as contacting law enforcement, working to block spoofed IP addresses, notifying customers, and initiating internal investigations.

The result is that potentially fraudulent emails are automatically filtered and blocked while institutions receive immediate notification.

Conclusion

Based on emerging data collected over the first six months of this year, Symantec predicts that the threat of phishing will continue to grow as attackers take advantage of new targets. This is because smaller targets (such as regional banks) far outnumber large ones (like credit card companies), and because smaller targets generally present fewer challenges for attackers.

In addition, phishing messages are continually being altered in order to evade anti-spam and anti-phishing filters. This is driving new innovation in methods of evasion, particularly in the use of randomized changes in phishing messages.

For these reasons, organizations are strongly urged to deploy an online fraud solution. Organizations should also ensure that their end users are educated about new forms of online fraud. They should closely monitor phishing activity and keep their users informed of the latest phishing scams and how to avoid falling victim to them.

End users should be educated about the types of threats they are likely to encounter and advised to not respond to any requests for confidential or financial information without confirming the source and validity of the request.