New Strategies to Fight PhishingAs the Fraud Threat Grows, Battle Plans Change
When it comes to financial fraud, banking institutions are losing the battle. The primary culprit: phishing.
Phishing schemes, which are most often carried out by e-mail or instant-messaging, aim to dupe users into sharing sensitive information such as usernames, passwords and credit card details by masquerading as trustworthy entities, such as a bank or government agency.
Worldwide, phishing attacks increased 37 percent from 2010 to 2011, according to the security firm RSA. Last year, RSA estimates, one out of every 300 e-mails included some kind of malicious link or phishing attempt.
Losses associated with phishing are striking, too. In mid-March, the Russian Federal Security Service arrested eight suspects for the roles they played in a $4.5 million phishing scam that crossed several international borders. Working, in part, from information provided by security analyst firm Group-IB, Russian authorities linked the hackers to an online banking trojan called Caberb, which was allegedly used to establish remote access to computer systems and databases. [See 8 Arrested in $4.5 Million Scheme.]
The average phishing attack yields $4,500 in stolen funds for the fraudster, RSA estimates. And large U.S. banks are increasingly the primary targets.
RSA's online fraud report, The Year in Phishing, notes that while phishing attacks are targeting credit unions and community banks less often, attacks last year on nationwide banks increased 10 percent.
RSA expects phishing schemes to increase this year, as attacks spread to more nations, target more brands and communicate malicious messages in more languages. "Although phishing is one of the oldest online scams, and user awareness is higher than ever, it seems that Web users still fall for phishing, unknowingly parting with their credentials over convincing-enough replicas of websites they have come to trust," the RSA report states.
Targeted attacks known as spear-phishing, which often identify e-mail users by name and title, pose an increasing threat. But even phishing attacks that are transmitted broadly with generic messages continue to get around e-mail spam filters and trapping methods.
The Core Problem
Why has the financial industry struggled to counter or at least contain phishing attacks? Because it has failed to address the core problem: human manipulation.
"It's easy for technical people to understand technical issues," says online security expert Markus Jakobsson, who has studied phishing. "But this is psychology, and technical people are not good at that."
Social engineering is the challenge. Addressing human behavior is the struggle.
Dave Jevans of the Anti-Phishing Working Group says phishing comes in many forms and flavors. "We're going to see phishing forever," he says. "I still get hit by it in paper [mail]. And if we haven't solved it on physical paper, we aren't going to solve it on the Internet."
DMARC: Just A Step?
The complexity of the Internet poses its own challenges, Jevans says, making the effectiveness of initiatives like DMARC, the Domain-based Message Authentication, Reporting & Conformance, questionable. DMARC is an industry effort that requires cooperation among e-mail service providers, such as AOL, Gmail, Hotmail, Yahoo!
"There is so much existing infrastructure out there," Jevans says. "You're talking about re-jiggering every e-mail infrastructure on the Internet, and that's a core problem."
During RSA Conference 2012, held earlier this month in San Francisco, the benefits and challenges of DMARC were weighed by online security experts from Hotmail, American Greetings and PayPal. [See Can DMARC Hook Online Phishers?]
DMARC standardizes how e-mail receivers perform e-mail authentication by providing a uniform reporting mechanism, said Andy Steingruebl of PayPal. "DMARC offers a way for senders to be verified, and it creates a system that's built on reputation."
Ultimately, DMARC can block suspicious e-mails, based on certain levels of authentication, before they ever hit the inboxes of intended recipients. Thus, e-mail senders are expected to experience consistent authentication results for messages that go through DMARC-affiliated providers AOL, Gmail, Hotmail, Yahoo!, as well as other e-mail receivers that implement DMARC.
Critics say DMARC, like most technical solutions, will fail because it does not address the core issue: human behavior. The other problem: DMARC requires a great deal of industry collaboration and cooperation among e-mail service providers and other entities that touch the Internet. "They certainly haven't come together in the past," Jevans says. "I don't know what makes us think they will come together now."
Executives at e-mail security provider Agari, a founding member of DMARC, acknowledges that DMARC is not a cure-all. "It focuses specifically on the problem of domain phishing and provides a model for ensuring that a company's domains are not being spoofed for malicious purposes," says Daniel Raskin, Agari's vice president of marketing. "It shifts the security model from a focus of heuristics and guesswork to a binary decision-making model."
Previous technical solutions focused primarily on protecting a company's perimeter, rather than guarding against attacks across the cloud. Now, by securing domains, companies can stop the phishing threats before they reach the perimeter. "The messages never hit the inbox," Raskin says.
But phishing is about deceit. And experts say consumer education still ranks No. 1 when it comes to mitigating risks associated with phishing.
Coming up with new and creative ways to educate consumers is the key, Jakobsson says. And with a beta site called SecurityCartoon.com, Jakobsson is testing the efficacy of using common analogies to explain Internet security.
"Rather than being technical, we need to communicate more in analogies," Jakobsson says. By drawing fraud comparisons between phishing and tasks the average consumer conducts every day, SecurityCartoon.com aims to simplify the message.
So, beyond technology, what can institutions do to deter phishing attacks against their brands? Security experts offer advice about steps to take to help address phishing threats.
- Invest in technology and secure the perimeter. Technology is not the silver bullet, but it is part of the solution. Banks and credit unions should assume that every endpoint has been or can be compromised, and then build their fraud prevention systems based on that perspective.
- Work with ISPs. Collaborate with your Internet Service Provider to carefully monitor whether visitors to your sites are being directed to spoofed sites. If traffic is being redirected, you'll want to detect that sooner rather than later.
- Be consistent. Don't tell users to avoid links in e-mails and then send them e-mails with links to information about online security. "The security provider says, 'don't click on links,' and then you get an e-mail from the same service provider that says 'check this link for an update.' Is this valid?" Jakobsson asks. "They are sending mixed messages. They don't think about the behavior of the person or the psychology."
- Make it easy. Explain security in a way the average person can understand by communicating with analogies. "Think about what people relate to," Jakobsson says. "They cannot relate to Internet infrastructure, but they can relate to how a blue mailbox for letters works."
- Provide education for executives and customers. "It's not just about password education and safe e-mail practices," Jevans stresses. "Most organizations don't even appreciate that they have to replace or update their servers and systems."