Phishing

06/04/2009

There appears to be some proof in the statements around the current socio-economic factors influencing cybercriminal activity during the downturn, we at Softcat have seen a marked increase in the number of phishing scams filtering through and many of our vendor partners are announcing increased levels of activity across the board.

During Q1 09 there were news announcements highlighting a scam directly targeting individuals and their personal data.

Leading security vendor, Websense has warned people filling out their on line tax returns to be wary of an internet scam which is attempting to steal personal financial details.  With the impending end of month deadline, British workers are being targeted by cyber criminals.  Apparently people are being tricked into entering their personal details into a fake website, which originates in Denmark. Victims receive an email which purports to be from HM Revenue & Customs. (HMRC)

It reads "Over the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of £99.23. Please submit the tax refund request and allow us 3-6 days in order to process it." It then contains a link which claims to go to the HMRC website. However, it actually takes users to a fake website - designed to look exactly the same as the authentic one - where unsuspecting victims enter their important financial data. This is then forwarded to the cyber criminals, while the user is sent to the proper HMRC site - meaning many are unaware they have been defrauded until their bank contacts them

McAfee’s latest research shows the global recession is increasing risks to intellectual property.

Researchers examined responses from more than 800 CIOs in the USA, UK, Germany, Japan, China, India, Brazil and Dubai. The research examined where vital information such as intellectual property originates, where it is stored globally, how it is transferred and lost.  The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches. 

“Companies are grossly underestimating the loss, and value, of their intellectual property,” said Eugene Spafford, professor of computer science at Purdue University and executive director of CERIAS  “Just like gold, diamonds or crude oil, intellectual property is a form of currency that is traded internationally, and can have serious economic impact if it is stolen.”

“Based on the survey findings McAfee conservatively estimates that the global damage from data loss to top one trillion dollars,” said Dave DeWalt, president and chief executive officer of McAfee. “This report is a wake-up call because the current economic crisis is poised to create a global meltdown in vital information.  Increased pressures on firms to reduce spending and cut staffing have led to more porous defenses and increased opportunity for crime. Companies need to stop looking at security as a cost center but as a business enabler.”

Key findings:

Recession puts intellectual property at risk
Organisations are clearly worried about the global financial crisis and its impact on the security of vital information. 39% of respondents surveyed believe vital information is more vulnerable in the current economic climate than before.

Commitment to protecting vital information varies
Developing countries are more motivated and spend more on protecting intellectual property than their Western counterparts. Brazil. China and India spent more money on security than Germany, UK, US and Japan. 74% of Chinese and 68% of Indian respondents invested in securing their intellectual property for competitive advantage.

Intellectual property is now an international currency
Experts say there has been an increase in the number of corporate data intrusions by organised cyber mafia gangs, increasingly targeting executives using sophisticated phishing techniques.

Employees steal intellectual property for financial gain and competitive advantage
An increasing number of financially challenged employees are using their corporate data access to steal vital information. As the global recession continues and legitimate work disappears, desperate job seekers or “cyber moles” are stealing valuable corporate data, which may be seen as desirable by potential future employees, to make themselves more valuable in the job market. 42% of respondents said displaced employees were the biggest threat to vital information.

Geographic threats to intellectual property
Geopolitical perceptions are influencing data policy reality.  China, Pakistan and Russia were identified by companies surveyed as trouble zones for various legal, cultural and economic reasons. 26% of respondents purposely avoided storing intellectual property in China. Yet 47% of Chinese respondents believed the United States posed the biggest threat to their intellectual property.

Rik Ferguson, Senior Security Advisor at Trend Micro gives his thoughts on how the socio-economic factors will influence cybercriminal activity during the downturn.

As the financial crisis begins to hit home in a more tangible way through 2009, we will see a continued increase in job losses and a decline in the overall financial health of individuals and families. We can fully expect organised cybercrime to take advantage of this, as to them it will be almost a recruitment bonanza as more highly skilled, disaffected and financially motivated programmers find themselves out of work. If cybercriminals have no difficulty in recruiting willing volunteers to crack CAPTCHAs at a rate of $2 or $3 per thousand it is a sure thing that they will want to take advantage of a growing available workforce with far more advanced skills.

Continued disruption in the commercial world (banking, retail, commercial finance, insurance etc.) will of course see more companies going through difficulty, going out of business or being the subjects of acquisitions and mergers. This is exactly the kind of confusion that social engineering thrives on and we saw this begin in 2008 during the banking crisis.

Do not expect to see marked technological shifts in methodologies behind cybercrime although we will begin to see the delivery vectors and targets shift somewhat.

1) Mobile devices are certainly becoming more prolific, and have been helped into acceptance in no small measure by the popularity of the iPhone and the rise of haptic technology in Windows mobile and Symbian devices as well. Expect to see malware specifically targeting mobile devices and perhaps for the first time recruiting them into "3G botnets"

2) Implicit trust in your "friends" on social networking sites has seen the evolution of socially engineered scams toward the tail end of 2008 and we can expect this to continue through 2009 with incidences of compromised accounts being used to message associated friends in a direct and credible way with the intention of infecting, compromising or socially engineering money and/or information out of the victim.

3) VoIP technology is rapidly gaining in acceptance and will also become a lucrative target for cybercrime both in rogue VOIP apps, vishing and as a potentially lucrative target of DDoS blackmail attacks.

Malware writers, anti-detection vendors, spammers, phishers, and carders will continue to operate around the concept of monetary gain. Cybercriminals will continue to take advantage of events, celebrities, and political figures, among others, as social engineering bait.

2008 was absolutely the year of the mass compromise with hundreds of thousands of websites being infiltrated to host invisible code redirecting unsuspecting browsers to sites hosting malicious code and exploit kits.

Web threats are still exhibiting exponential growth, and I expect that trend to continue through 2009, at the end of 2008, the growth in web threats since 2005 had well exceeded the 2000% mark. Malware hosted in remote URLs increased by 256% in 2008. Also, malicious links in Spam saw a 500% spike, One in every 500 web requests made is to a website hosted on an infected PC.

Around 115 billion spammed messages are being sent every day, up from the average 75 billion in 2005 to 2006. Ninety-nine percent of spam comes from compromised computers, including those with malicious communication to and from remote users.

In response to the ever increasing risk of identity theft, some insurance companies have begun to offer “Identity Theft Insurance” policies and this is a trend that we expect to see continuing across Europe in 2009 and beyond as more targeted and effective malware and social engineering drives a rise in ID theft related attacks.

 

Today the waledac botnet is most active with very good social engineering on timely events such as valentines day, obama election & inauguration...just like the storm botnet did in 2007-8.

Cisco IronPort protects organisations and their employees from phishing attacks using a comprehensive set of industry-leading email and web security technologies. At the heart of this technology is SenderBase, Cisco’s threat prevention management system, which has real-time visibility into the threat landscape with data on more than 25 percent of the world's Internet traffic.

With the Cisco IronPort C-Series email security appliance, all emails are checked for sender authentication and analysed for content including URLs. If the email fails these checks then it will be quarantined to prevent the user receiving the phishing email.

The Cisco IronPort S-Series web security appliance protects users from accessing phishing websites. If the users click on a link in a phishing email, the appliance will check the website’s reputation score with SenderBase, and if suspicious will not allow the webpage to open, stopping the user from visiting the page.

The combined email and web technologies that Cisco IronPort offer, supported by the threat management system of SenderBase, will ensure that users are safe from all internet-based phishing attacks now and in the future.

Phishing is a threat that combines both the e-mail and web threat vectors, therefore it helps to have a holistic approach to dealing with the threats they pose. 

Clearswift’s E-mail Appliance anti-spam technology identifies phishing attacks, and when layered with their further content and anti-malware defences, eliminates it from being delivered to a user. If those defences are circumvented and a user does click on the link, the Clearswift Web Appliance has policies around the information being exchanged and the legitimacy of the website, blocking the user again from making any errors.

This is just one example where the common policy console and tight integration of e-mail and web security offered by Clearswift’s appliances allows organisations to communicate and collaborate safely by being able to ‘intelligently’ secure your network. 

Microsoft is focusing its anti-phishing technologies in two areas: helping to prevent phishing e-mail messages from reaching customers in the first place, and helping to prevent users from accidentally providing key personal data to a fraudulent Web site.

MSN and Windows Live Hotmail users already have protection from phishing e-mail messages through Microsoft's patented SmartScreen spam filtering.

SmartScreen is also enhancing spam and junk-mail filtering in the latest versions of Microsoft Office Outlook, Exchange Hosted Filtering, and Microsoft Exchange Server.

Microsoft is helping to protect the browsing experience with the new Microsoft Phishing Filter, built-in into the browser experience for users in new Windows Internet Explorer 7 for Windows XP and all versions of the Windows Vista operating system. This advanced phish-fighting capability is designed to give consumers greater clarity about known and suspected phishing attacks, and provides Web-site owners with a mechanism to offer more consistent and transparent content for legitimate e-commerce.

How Mimecast protects against emails containing Phishing attacks, Spam and Viruses
Mimecast’s anti-spam service utilises a custom-built MTA, which is designed to take advantage of Mimecast’s distributed process capabilities to be security and policy aware.  The first step passes through denial of service protection and then it uses local & global reputation at a connection level to decide to accept or reject the message. The message then moves onto RFC conformity checking which queries the sending mail server to ensure it is not a spam bot. If it passes this check, Mimecast can perform further optional checking based on the content of the message.  If email is coming from a known good party Mimecast will prioritise them (add to a white list).

Next the message is run through multiple commercial & Mimecast proprietary AV engines and passes through layer 7 intrusion prevention which looks for OS & application exploits; it then is scans for URL links to known bad web servers – if unknown it will proactively check the website to see if it contains known malware. Mimecast will check email for known phishing content and graphics (this also captures any image spam). 

Mimecast does not accept the message until it passes all these checks, and will then pass the message onto the Mimecast policy engine (disclaimers, attachments, content filtration).  This offers very efficient connection-based spam management, augmented with effective content-based analysis and policy enforcement. The results are 99% of spam blocked at connection.