Near my home is a medium-sized river that's a popular fishing spot. Small boats are fairly common on the river, but most of the hopeful anglers stand in the river in hip waders, trying to catch pike or walleye. Unfortunately, fishermen aren't the only people dangling bait these days. A growing number of criminals are sending out fake email messages in a process known as phishing.
The Anti-Phishing Working Group (APWG--http://www.antiphishing.org ) has a succinct definition of phishing that's worth citing: "Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' emails to lead consumers to counterfeit Web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords, and social security numbers. Hijacking brand names of banks, e-retailers, and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning."
I'm amazed that any user would actually fall for an email message that says, "Your account's been compromised, so please log in." But people do fall for these schemes--and in record numbers. "Information Week" estimates that between 3 percent and 5 percent of users who receive a phishing email message actually go to the bogus Web site and provide at least some personal information. Estimates of the financial losses these attacks cause are hard to come by, but late last month the US Federal Trade Commission (FTC) settled with Zachary Hill, a Texas phisher who bilked about 400 people out of a total of more than $125,000. The APWG estimates that in February 2005 more than 2600 active phishing sites (with an average lifetime of 5 days per site) were in use.
You can apply a variety of phishing countermeasures, and more are on the way. The biggest hope probably lies in the Sender Policy Framework (SPF) standard and Microsoft's Sender ID (see "Sender ID: Back From the Grave" at http://www.windowsitpro.com/article/articleid/44353/44353.html ), which provides verification that the actual sender of a message matches the domain that the message claims to be from. Microsoft is committed to introducing support for Sender ID in Exchange 2003 Service Pack 2 (SP2), a move that will undoubtedly speed its adoption.
In the meantime, several antispam vendors have introduced antiphishing features in their products. Barracuda Networks, Tumbleweed Communications, and other vendors use systems that rely on user reports of phishing messages to mark similar messages as phish-y; filters that use techniques such as Spam URL Realtime Block Lists (SURBL) to mark messages that contain "bad" URLs might also help catch such messages.
Ultimately, the most significant countermeasure is educating your users--and friends, relatives, neighbors, and other people to whom you provide ad hoc advice or technical support--about these messages. The majority of phishing messages claim to be from only five or six companies, such as eBay, Citibank, PayPal, and Wells Fargo, that never send out security notifications via email. Apart from the financial losses, the recent tendency of phishing sites to install crimeware on users' computers poses a worrisome long-term threat because infected home machines might not be detected for some time, and those machines can introduce problems into your corporate network.
On an unrelated note, the ballot for Windows IT Pro's annual Readers' Choice awards is now live. Here's your chance to reward companies that provide excellent products and the best overall services. The September 2005 issue of Windows IT Pro will feature the winners. Click here to vote:
During his first-ever Consumer Electronics Show (CES) 2009 keynote address last night in Las Vegas, Microsoft CEO Steve Ballmer announced the pending public availability of a feature-complete Windows 7, the final version of Windows Live Essentials, and ...
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Empower Your Processes with PowerShell 201 Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
New Release: Windows IT Pro Master CD 13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Register
