Taming the ever-evolving phish risk

At an industry conference last year, the head of security for a state port authority told of how a phisher - possibly a current or former employee, or someone in cahoots with one - bluffed his way onto the corporate network by first spoofing an internal e-mail address. The ploy, apparently designed to elicit application passwords, got responses from about 50 workers before one called the IT department to raise a red flag, according to a conference attendee.

Once a phisher has successfully spoofed a corporate e-mail address, the damage that can ensue is substantial, experts say. In the port authority case, the phisher could have found a number of ways into the corporate network once he convinced employees that his e-mail actually came from a co-worker. For example, the phisher could have attached a key-logging program to the e-mail that recorded an unsuspecting employee's password while he was accessing an application, thus granting the phisher access as well. Officials with the port authority won't comment further on the incident.

Security vendors and anti-phishing organizations report that such targeted phishing attacks on enterprise networks - sometimes called spear phishing - are on the rise. What's at stake is not only the theft of personal financial information, but also loss of intellectual property, trade secrets and other highly sensitive information.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

At an industry conference last year, the head of security for a state port authority told of how a phisher - possibly a current or former employee, or someone in cahoots with one - bluffed his way onto the corporate network by first spoofing an internal e-mail address. The ploy, apparently designed to elicit application passwords, got responses from about 50 workers before one called the IT department to raise a red flag, according to a conference attendee.

Once a phisher has successfully spoofed a corporate e-mail address, the damage that can ensue is substantial, experts say. In the port authority case, the phisher could have found a number of ways into the corporate network once he convinced employees that his e-mail actually came from a co-worker. For example, the phisher could have attached a key-logging program to the e-mail that recorded an unsuspecting employee's password while he was accessing an application, thus granting the phisher access as well. Officials with the port authority won't comment further on the incident.

Security vendors and anti-phishing organizations report that such targeted phishing attacks on enterprise networks - sometimes called spear phishing - are on the rise. What's at stake is not only the theft of personal financial information, but also loss of intellectual property, trade secrets and other highly sensitive information.

"Thieves have discovered a gold mine, and they're not going to let up until the technology gets better," says Avivah Litan, a vice president and research director with Gartner.

These targeted phishing attacks on companies take much more work on the part of the phisher than simply sending out thousands of e-mails that spoof eBay in hopes of catching a handful of consumer victims. But experts say that doesn't mean companies should assume it won't happen to them because phishers can do much damage with very little purloined information.

"If you're sending out Citibank e-mails to loads of people trying to get their [banking] password . . . then there's a very high likelihood that password is the same one used for network access," warns Dave Jevans, chairman of the Anti-Phishing Working Group, one of the industry organizations attempting to fight the problem (see graphic). That means even phishers who haven't figured out how to spoof internal e-mails still can gain network access by phishing consumers that aren't diligent about varying their passwords.

There's also been an increase in phishing attacks that target a certain company but don't originate within the organization, says Andy Klein, anti-fraud product manager with e-mail security vendor MailFrontier. The company's customers are reporting a rise in e-mails that purport to come from a service provider or supplier to their company - American Express' corporate credit card division, for example.

In these scenarios, phishers often send messages to a company's e-mail group names, such as marketing@company.com, and ask employees to update their account information. These e-mails hold more credibility than the massive consumer-oriented attacks because they appear to come from a trusted business partner, Klein says.