The Morphing Online Fraud Threat

By Tom Schmidt

If there is one trait common to nearly all purveyors of online fraud it is the ability to mutate. From simple attempts at social engineering, to "phishing," "pharming" and "spear phishing," fraudsters have proven especially resourceful at modifying their behavior. The result has been a shift in the threat landscape. As the latest Internet Security Threat Report observed, attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets.

"Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud." ("Internet Security Threat Report Vol. VIII," September 2005)

This article looks at the most significant online threats and the steps organizations can take to stop them.

The evolution of phishing

One of the more worrisome findings of the latest Threat Report concerns the continued increase in phishing attacks. Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. Consider these statistics:

• In the first six months of 2005, there were 1.04 billion phishing attacks blocked, compared to 546 million in the last six months of 2004, a 90% increase in messages blocked.
• Between January 1 and June 30, 2005, the volume of phishing messages grew from an average of 2.99 million messages a day to 5.70 million.
• One out of every 125 email messages scanned by anti-spam solutions was a phishing attempt, an increase of 100% from the last half of 2004.

These figures are borne out by the latest report from the Anti-Phishing Working Group. In August, the APWG detected 5,259 unique phishing Web sites, the highest number ever. The APWG surmised this may reflect an increasing tendency of phishers to target a diverse group of smaller brands, as well as "an increased use of multiple sites to host a single attack, in order to increase their resiliency to takedown efforts."

While the financial services sector continues to be the most targeted industry sector (accounting for nearly 85% of all attacks in August), the APWG said it is now seeing a number of new targets, including insurance companies, credit unions, payment services, and even an ATM network (such attacks are commonly referred to as "puddle phishing"). The APWG said it is also finding an increase in the number of reported attacks against European financial institutions and ISPs. More attacks against customers of Canadian institutions are being reported as well.

A dramatic rise in malicious code

As disturbing as the rise in phishing attacks has been, the Threat Report also notes with alarm the "massive increase" in malicious code. Over the first half of 2005, there were more than 10,866 new Win32 viruses and worms documented, an increase of 48% over the 7,360 documented in the second half of 2004. (It's also an increase of 142% over the 4,496 documented in the first half of 2004.) The increase is primarily due to the rise of Win32 variants that implement bot features -- such as remote access through IRC channels and denial of service capabilities -- that attackers now use for financial gain. For instance, use of the Spybot, Gaobot, and Randex bots has risen dramatically because their source code is available to the public. And as the Threat Report puts it:

"The number of new variants is all the more remarkable considering that the number of existing families has not changed appreciably over the past four reporting periods. The increase in variants is problematic for organizations because each one represents a new threat against which administrators must secure their systems and for which antivirus providers must develop and provide updates."

Methods of mitigating online fraud

Any solution aiming to mitigate online fraud must be multi-pronged and include the following components:

• An email fraud detection, filtering, and alerting network
• Online customer education
• A desktop security assessment capability for customers of financial institutions
• An infrastructure and means for financial services customers to acquire the products and services needed to improve their level of protection
• Consulting and assessment services

The fraud detection network detects and blocks fraudulent email before it reaches customers. In parallel, an online destination - co-branded with individual financial institutions -- enables customers to better understand security-related and fraud avoidance issues, test their exposure to online threats, and identify and address their security needs.

A key component of this approach involves intercepting fraudulent email before it reaches the mailbox of potential victims. Using this approach, damage and costs can be minimized. Specifically, a probe network of 2 million decoy email accounts can attract fraudulent email. The network then monitors the Internet for fraudulent email that targets the customers of businesses enrolled in this service. At an operations center, 25 million email messages per day are received and analyzed. Researchers at the center research and validate possible fraudulent email attacks. Unlike spam, fraud attacks can be difficult to detect without expert inspection and detection algorithms. The best solutions use both human experts and technological means to identify fraud attacks at their earliest stages.

Once the fraud attack is identified, anti-fraud rules in the form of continually updated anti-fraud filters that block fraudulent messages are deployed. When attacks that target specific brands are detected, immediate alerts are sent to pre-designated personnel, enabling the institution to set in motion incident response procedures such as contacting law enforcement, working to block spoofed IP addresses, notifying customers, and initiating internal investigations.

The result is that potentially fraudulent emails are automatically filtered and blocked while institutions receive immediate notification.

Conclusion

Based on emerging data collected over the first six months of this year, experts predict that the threat of phishing will continue to grow as attackers take advantage of new targets. This is because smaller targets (such as regional banks) far outnumber large ones (like credit card companies), and because smaller targets generally present fewer challenges for attackers.

In addition, phishing messages are continually being altered in order to evade anti-spam and anti-phishing filters. This is driving new innovation in methods of evasion, particularly in the use of randomized changes in phishing messages.

For these reasons, organizations are strongly urged to deploy an online fraud solution. Organizations should also ensure that their end users are educated about new forms of online fraud. They should closely monitor phishing activity and keep their users informed of the latest phishing scams and how to avoid falling victim to them.

End users should be educated about the types of threats they are likely to encounter and advised to not respond to any requests for confidential or financial information without confirming the source and validity of the request.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.