Bugwatch: Phishers target the network

The latest scams can affect far more people than the original recipient

Mark Murtagh, technical director, Websense, vnunet.com 01 Dec 2004

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Mark Murtagh, technical director at Websense, warns of the dangers to company networks when employees fall victim to phishing scams.

The number of phishing emails continues to rise at a shocking rate, with copycat websites opening as soon as one closes. So much so, that phishing now represents the biggest form of online identity theft.

Putting this into context, the Anti-Phishing Working Group, an industry body providing information on phishing and email fraud, reported over 1,900 unique phishing attacks in July alone, representing an increase of 19 per cent on the previous month.

In its most basic form, phishing works by using spoofed emails and fraudulent websites that appear to come from trusted institutions, such as e-commerce and financial sites, which are designed to dupe recipients into divulging confidential information such as credit card details or online banking passwords and Pins.

The rapid development and sophistication of such attacks means that the concept of phishing is no longer limited to simply using email as the attack tool. There have been many cases citing web browser hijacking, instant messaging and automatic pop-ups, through to mediums such as fax, phone calls and even regular post.

These 'next-generation' attacks are using blended methods that harness social engineering psychology (playing on people's fears and motivations) together with application and operating system vulnerabilities to run malicious code locally on users' PCs.

Key-loggers can now be programmed with behaviour mechanisms to wait until users access real websites to start logging keystrokes and take screen captures. To make matters worse, this is all conducted without users ever realising that they have been victims of phishing until they check their financial statements and receive an unpleasant surprise.

These new attacks have the potential to affect far more people than the original recipient. For example, an employee working at home on their company laptop receiving a phishing email clicks on a link, which could then infect other computers when the laptop is reconnected to the network.

If a large number of employees are accessing their bank details online, this offers potentially huge spending power for hackers. It also could compromise the company's finances and confidential information.

Seen in this light, phishing is a real security threat for businesses today and one that needs addressing quickly and efficiently. But the question is how?

Unfortunately, guaranteeing that an organisation is up to date with the latest security patches and antivirus signatures is not enough to prevent an attack.

Anti-spam software fails to offer a guaranteed method of protection, since the words and phrases used in the fake web address often appear to be from a normal bank and might escape through filters.

Companies need to enforce an internet usage policy that prevents unauthorised applications from launching on the employee desktop.

By blocking any unknown security threats, and only allowing approved applications to run on corporate PCs and servers, IT departments can customise policies based on existing user and group network definitions, enabling a system that offers protection without restricting employee productivity.

See also: