Phishers Are Getting Smarter, But So Are the E-Cops
Dec 8th 2011 8:00AM
Updated Dec 8th 2011 8:50AM
Traditional phishing -- where hackers attempt to acquire private information from individuals in hopes of defrauding them or getting them to click on links that will upload malware on their computers -- is bad enough. But even more alarming is the rise -- and effectiveness -- of a new kind of attack called "spear phishing."
Fake or Fraud?
While traditional phishing attacks involve sending emails that appear to be from a legitimate business, such as a bank or a retail store, spear phishers get an even higher response rate to their requests for personal information such as credit card, social security, or bank account numbers.
Spear phishers are able to target their attacks more effectively because hackers begin the process by gathering some information about individuals, such as their names, email addresses, or shopping preferences. Armed with this information, the hackers are able to make their solicitations for information appear more legitimate because of the recipient's assumption that only representatives of the company in question have access to the data.
This is particularly dangerous in the cases of banks or other organizations that carry accounts with the recipients' financial information. Phishing attacks have risen 12% since last year, with an 11% increase in attacks on customers of national banks. The losses amount to billions of dollars.
Earlier this year, marketing firm Epsilon, which is part of Alliance Data Systems (ADS), reported a breach in its security systems that gave hackers access to email lists gathered from clients such as US Bancorp (USB), JPMorgan Chase (JPM), Capital One (COF), and Best Buy (BBY). While the phishers may have only acquired names and email addresses, that is enough information to increase the efficacy of their solicitations to customers expecting correspondence from these companies.
Sign Here for Protection
Recent attempts to battle phishing attempts involve using Sender Policy Frameworks to authenticate the sender's DomainKeys Identified Mail key to recognize forged messages and prevent them from reaching your inbox. This strategy allows senders to set policy controls on messages they send and receive and stamp outgoing messages with cryptographic proof of their identity. Receivers can then reject messages that lack this stamp.
While this approach has had some success, it still allows many phishing attempts to get through.
One obstacle to this method's success is that it only works well if a huge volume of senders use these DKIMs to sign their mail. Without such signatures, it is difficult to detect whether or not an email is forged. That means that businesses and email providers like Gmail need to build a cooperative scheme that allows private email addresses to reject forged emails from businesses that lack their cryptographic signatures.
Broader success of this initiative will require a situation in which all major businesses possessing private customer information form agreements with the email providers for their customers.
Early Warning Systems
In 2008, Gmail took a step in the right direction by working with PayPal and eBay (EBAY) to set up authentication procedures that automatically reject emails from "@paypal.com" or "@ebay.com" that lack the proper cryptographic signature.
The shortcoming here is that it only protects Gmail users from phishing attempts using PayPal's or eBay's domain names. Protecting every private email address from phishing attempts using any company name is a tremendously long and complex process. But there are companies working on ways to increase the number of businesses forming cooperative agreements with email providers.
For example, new start-up Agari is attempting to simplify the authentication process for large businesses and help them send clear policies to email providers that help them detect spam. It is using email filtering data from Cisco (CSCO) and several cooperating Internet service providers to develop message analysis algorithms that will allow it to go beyond the use of DKIMs and SPFs to catch any attempts to use its customers' brands to defraud customers.
Right now, the best defense against spear phishers is for consumers to take up arms alongside their Internet service providers until larger systems are in place to stop the bad guys from imitating legitimate entities.
Jim Royal, Ph.D., does not own shares of any company mentioned here. The Motley Fool owns shares of JPMorgan Chase, Best Buy, and Cisco, and has created a bull call spread position on Cisco. Motley Fool newsletter services have recommended buying shares of Cisco and writing covered calls in Best Buy.