Near my home is a medium-sized river that's a popular fishing spot. Small boats are fairly common on the river, but most of the hopeful anglers stand in the river in hip waders, trying to catch pike or walleye. Unfortunately, fishermen aren't the only people dangling bait these days. A growing number of criminals are sending out fake email messages in a process known as phishing.
The Anti-Phishing Working Group (APWG--http://www.antiphishing.org ) has a succinct definition of phishing that's worth citing: "Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' emails to lead consumers to counterfeit Web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords, and social security numbers. Hijacking brand names of banks, e-retailers, and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning." I'm amazed that any user would actually fall for an email message that says, "Your account's been compromised, so please log in." But people do fall for these schemes--and in record numbers. "Information Week" estimates that between 3 percent and 5 percent of users who receive a phishing email message actually go to the bogus Web site and provide at least some personal information. Estimates of the financial losses these attacks cause are hard to come by, but late last month the US Federal Trade Commission (FTC) settled with Zachary Hill, a Texas phisher who bilked about 400 people out of a total of more than $125,000. The APWG estimates that in February 2005 more than 2600 active phishing sites (with an average lifetime of 5 days per site) were in use. You can apply a variety of phishing countermeasures, and more are on the way. The biggest hope probably lies in the Sender Policy Framework (SPF) standard and Microsoft's Sender ID (see "Sender ID: Back From the Grave" at http://www.windowsitpro.com/article/articleid/44353/44353.html ), which provides verification that the actual sender of a message matches the domain that the message claims to be from. Microsoft is committed to introducing support for Sender ID in Exchange 2003 Service Pack 2 (SP2), a move that will undoubtedly speed its adoption. In the meantime, several antispam vendors have introduced antiphishing features in their products. Barracuda Networks, Tumbleweed Communications, and other vendors use systems that rely on user reports of phishing messages to mark similar messages as phish-y; filters that use techniques such as Spam URL Realtime Block Lists (SURBL) to mark messages that contain "bad" URLs might also help catch such messages. Ultimately, the most significant countermeasure is educating your users--and friends, relatives, neighbors, and other people to whom you provide ad hoc advice or technical support--about these messages. The majority of phishing messages claim to be from only five or six companies, such as eBay, Citibank, PayPal, and Wells Fargo, that never send out security notifications via email. Apart from the financial losses, the recent tendency of phishing sites to install crimeware on users' computers poses a worrisome long-term threat because infected home machines might not be detected for some time, and those machines can introduce problems into your corporate network. On an unrelated note, the ballot for Windows IT Pro's annual Readers' Choice awards is now live. Here's your chance to reward companies that provide excellent products and the best overall services. The September 2005 issue of Windows IT Pro will feature the winners. Click here to vote: http://www.windowsitpro.com/readerschoice
