Phishers use spears, hooks and nets

How to protect your users from insidious attacks

Most of your friends and families have heard about phishing. They might even know enough to ignore e-mails claiming a problem with their accounts, even to check the URL of sites they're not sure about.

Unfortunately, phishers have raised the bar - and now are using spyware to load keystroke loggers to capture users' banking information.

In January, the Anti-Phishing Working Group identified a Brazilian phish site selling Visa cards that loaded a program called visa.exe onto the end user's directory. Upon reboot, the application modified system registry files and logged keystrokes when predetermined sites were accessed, and then sent that information back to the attackers. Dave Jevans, the group's founder, says phishers can use the same techniques to install hijackware. So when users type in Citi.com, they're redirected to a password-harvesting site that looks just like a Citibank site.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Most of your friends and families have heard about phishing. They might even know enough to ignore e-mails claiming a problem with their accounts, even to check the URL of sites they're not sure about.

Unfortunately, phishers have raised the bar - and now are using spyware to load keystroke loggers to capture users' banking information.

In January, the Anti-Phishing Working Group identified a Brazilian phish site selling Visa cards that loaded a program called visa.exe onto the end user's directory. Upon reboot, the application modified system registry files and logged keystrokes when predetermined sites were accessed, and then sent that information back to the attackers. Dave Jevans, the group's founder, says phishers can use the same techniques to install hijackware. So when users type in Citi.com, they're redirected to a password-harvesting site that looks just like a Citibank site.

Until recently, the bad guys had to attack browser vulnerabilities to trick the browser into giving what looks like a legitimate URL. But now a new Internet Corporation for Assigned Names and Numbers (ICANN ) standard makes browsers vulnerable to spoofing without hacking. ICANN approved the use of international characters in international top-level domains, which paved the way for the new International Domain Names (IDN) standard to add thousands of new character types. Phishers use some of these character types in place of English-language characters to make fake URLs look real.

In February, Secunia , a Danish security company, posted information about the IDN vulnerability on its Web site. At the time, Firefox, Opera, Safari, Omniweb, Netscape and Conqueror browsers were vulnerable to IDN spoofing. If Microsoft adopts the use of IDN, Internet Explorer will be vulnerable, too.

We tested Firefox and Safari against a test developed by security expert Eric Johansen. When both browsers displayed a perfect spoof of paypal.com, I fired off an e-mail to Secunia asking: "Why haven't browser vendors done anything to reverse this?"

Secunia's CTO Thomas Kristensen replied with a question of his own: "Who should you blame - ICANN, the browser vendors or other parties who wanted to implement special national characters without listening to criticism that [goes back to] 2002?" Kristensen says the browser vendors should take responsibility and reverse their support for IDNs.

How to dodge the hook

Experts predict phishing attacks will get more prolific, complex and organized over the next two years. Install pop-up blockers, switch to a secure browser such as Firefox (or at least patch Internet Explorer regularly), and use multiple spyware tools. Send users to see Microsoft's phishing video .

Look to Phishing.net for no-cost toolbars that identify known phish sites. FraudEliminator, a free, stand-alone browser plug-in to Internet Explorer, provides a site status button beneath the URL (green, yellow and red), control over pop-ups and reporting. The trouble is, such toolbars rely on a database of known phish sites, which come and go in hours or days. Look for multi-factor authentication services: AOL offers RSA Security tokens for $10 each and $2 to $5 per month. Banks are adopting an authentication scheme from Strikeforce that calls users' phones and prompts them for their PIN. LyfeCards is promoting this to 50,000 retail merchants. See a demo here .

Read more about security in Network World's Security section.