Fighting back against phishing

In the past year, attacks have grown in volume and sophistication, but online merchants are on the offensive with consumer education and new authentication tools.

By Deborah Radcliff, Network World
April 11, 2005 12:10 AM ET

First, the good news: Since we first reported on the rising threat of phishing attacks last spring, e-businesses have moved quickly to combat phishers, consumers are learning to be more discerning, and vendors are stepping up with anti-phish tools and services.

Hooking a phisher
Phish facts and figures

Now the bad news: Phishing exploits continue to increase at an alarming rate. There were only 198 phish sites in January 2004; there were 2,625 in February 2005, according to the Anti-Phishing Working Group. The number of unique phish e-mails hit a whopping 13,141 in February, and Symantec reports that its Brightmail spam filters blocked an average of 33 million phishing attempts per week in December, up from an average of 9 million in July.

But the sheer volume of phish attacks is only part of the problem. Phishers have become more sophisticated, using "phishing without a lure'' techniques, such as pharming, spear phishing, Google phishing and Wi-phishing, to reel into customer account information without the customer ever entering personal account information on a fake Web site (see graphic).

In fact, Symantec says hackers seem to be shifting their focus from taking down Web sites to gaining access to confidential information. Between July and December, malicious code created to expose confidential data represented 54% of the top 50 malicious code samples Symantec received, up from 44% in the first half of 2004 and 36% in the second half of 2003.

Related Content

Click to see: Two-channel authentication

And phishers are expanding their list of targets beyond major banks to a seemingly unlimited number of smaller financial institutions and other e-commerce sites. "There is a cyclical pattern,'' says Mark Schull, president and CEO of online fraud fighting company MarkMonitor. Phishers hit Bank A. Bank A fights back. Phishers move on to Bank B, but then, armed with ever more sophisticated tools, circle around and hit Bank A again a few months later.

Even though experts say a smaller percentage of consumers is falling for phishes these days, the dollar damage from online bank fraud is significant. A recent survey by the Ponemon Institute said that 2% of people surveyed had lost money, and the study estimated that consumers lost $500 million to phishers in 2004. Even more troubling, the survey of 1,335 people reported that 70% of respondents had visited a fake site, and 15% said they had parted with private data.

Even more troubling for online merchants is the psychological impact. In a study of 655 consumers by fraud prevention service Cyota, more than half said they were afraid to do online commerce because of phishing concerns. And a Symantec study showed that nearly one-third of respondents said they would not do online banking because of phish fears.

Click to see: Phishing Demo - click to view

"If you're a financial institution who sees that e-banking is critical to revenue growth, and you hear that 31.5% of your prospective online customers won't use e-banking, you've got to take some steps to change that,'' says Kim Legelis, director of banking and financial services solutions at Symantec.

"Phishing has been pretty top of mind for me over the past eight months,'' says Brad Nightengale, vice president of emerging products at Visa. He says Visa has been hit with its "fair share of phishing attacks'' and has responded in a number of ways, including the creation of a phishing e-mail box where customers can send phishes to be analyzed. Visa has joined an anti-phish reporting network. And it has aggressively moved against phish sites by contacting the ISP used by the phisher and getting the site shut down - often within three hours of detection.

Nightengale says that while Visa believes it has phishing "well under control'' in terms of actual consumer fraud, there is the larger worry. "One of the reasons we're so concerned is that we believe consumers may perceive the online environment as exceedingly risky," he says. And that perception could curb online spending, even though studies have shown that the vast majority of identity theft occurs offline, he says.

Click to see: Entrust IdentityGuard

"Phishing is more an attack on brand identity than on consumers," says Dave Cullinane, chief information security officer at Washington Mutual in Seattle, which started seeing attacks against its brand in October. "Phishers are trying to take advantage of confusion, and they're very good at the social engineering [deception] aspect of getting people to give up things they shouldn't."

Like Visa, Washington Mutual has responded by launching a consumer education campaign, sharing attack trends and technologies with industry associations, and hiring a brand protection service to close down phishers as quickly as possible.

But this level of effort is mostly reactive. The Financial Services Technology Consortium, a group formed last year specifically to fight phishing, strongly advocates preventive measures, including two-factor authentication - sooner rather than later - to validate everything a customer sees or touches online.