Phishers to Hook More In 2007

Using Trusted Brands as Bait to Catch Consumers

Phishers will exploit trusted brands on an unprecedented scale in 2007. FairWinds explores best practices to help prevent phishing and the erosion of consumer trust in brands and introduces Martin Sutton, e-Risk Manager for HSBC Holdings plc as well as Laura Mather, Senior Scientist of enterprise brand protection firm MarkMonitor.

Phishing is a problem on the Internet most commonly associated with the financial services industry, but its reach continues to expand to affect a variety of brand owners with an online presence. Phishers have created an extremely successful business by preying on consumer trust in well-known brands, and they have done so at a time when marketers are trying to use the Internet to establish trust and hold more innovative and engaging conversations online. Phishing works because consumers trust a specific brand and are willing to click on links and open e-mails purportedly originating from those brands. Once a consumer has been victimized by a phishing scheme their trust may be permanently tarnished, particularly if the brand-owner involved does not take the necessary steps to protect its customers.

According to Martin Sutton, Manager, e-Risk at HSBC Holdings plc, one of the largest banking and financial services organizations in the world, “If the industry fails to respond to phishing effectively, it will continue to grow and affect consumer confidence substantially not only in online banking, but in eCommerce and other industries.”

The Anti-Phishing Working Group (APWG) defines phishing as attacks using “both social engineering and technical subterfuge to steal consumers’ personal identity, data, and financial account credentials. Social-engineering schemes use ‘spoofed’ e-mails to lead consumers to counterfeit Web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and personal identification such as social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.”[1]

The magnitude and scope of this problem have grown rapidly. According to the APWG, the number of unique phishing sites reported increased 757 percent from October 2005 to October 2006, from 4367 in 2005 to 37,444 in 2006.[2] Phishers broke their previous record of the number of brands infringed upon in one month, with 176 brands being spoofed or hijacked in October 2006.[3] Phishers are expanding their activities beyond the financial services industry and are clearly finding success as the rate of attacks and financial impact of these schemes continue to rise.

The practice of phishing is very lucrative, and will rob American consumers of approximately $2.8 billion this year as estimated by the research firm Gartner. A recent survey performed by Gartner found that the average phishing victim now loses $1,244 per attack, as compared to an average of $257 in 2005.[4] Losses from online fraud against banks in the United Kingdom rose 55% in the first half of 2006 to £23M.[5] Though the financial impact to consumers is staggering, the greatest impact of phishing is felt by brand owners. They are saddled not only with the direct costs of the attack, but also with the costs of enforcement, detection and lost consumer confidence.

Phishers have found their attacks on the financial services industry so rewarding that according to a recent article in Advertising Age, “the hoaxes are now spreading to non-financial consumer brands as phishers latch on to well-known and trusted logos as bait, using promotions, giveaways and sweepstakes as lures. And that, coming at a time when marketers are relying more and more on interactive marketing to build one-on-one relationships with consumers, not only threatens to erode trust but also raises serious questions for marketers about the liability and what action they should take – or not take – to thwart criminals who hijack their brands.”[6] Some recent high-profile scams targeting companies outside of the financial services industry included false marketing promotions using the Coca-Cola and McDonald’s brands. Both scams offered giveaways if the e-mail recipients clicked on a link in the e-mails and “signed up” for these “marketing promotions.”[7] According to Phishtank.org, PayPal and eBay, Inc. were among the top ten phished brands in December 2006, ranked number one and number three respectively.[8]

As the practice of phishing has become more lucrative and the community has begun to respond, these attackers have become increasingly creative in the methods they use to profit from the misuse of established brands. Some common variants of phishing include spear phishing, the use of sub-domains, phishing-based Trojans and Rockphish attacks.

“Spear phishers send spurious e-mails that appear genuine to specifically identified groups of Internet users, such as certain users of a particular product or service, online account holders, employees or members of a particular company, government agency, organization, group, or social networking Web site. Much like a standard phishing e-mail, the message appears to come from a trusted source, such as an employer or a colleague who would be likely to send an e-mail message to everyone or a select group in the company (e.g., the head of human resources or a computer systems administrator). Because it comes from a known and trusted source, the request for valuable data such as user names or passwords may appear more plausible,” according to the Binational Working Group on Cross-Border Mass Marketing Fraud.[9] Spear phishing is concerning for both financial services companies and companies participating in e-commerce because it targets a wide array of Internet users.

“Sub-domain phishing involves employing a very large number of Web sites with URLs using multiple sub-domains attached to spoofed domains (e.g. 123.phishsite.com, 234.phishsite.com, 345.phishsite.com). The APWG believes that the multiple sub-domains ploy is used to defeat spam filters and URL-filtering systems by rapidly deploying variants that have not yet been added to blocking lists or “black lists” of phishing URLs.”[10]

Laura Mather, Senior Scientist at MarkMonitor, an enterprise brand protection firm, points out that the use of sub-domains is currently one of the most pressing issues in brand enforcement. “The use of sub-domains affects multiple brand owners and the problem is that as monitoring services blacklist them, they are blacklisting just one name when other URLs are also being used.”

“The way that blacklists are being provided to Internet Explorer and Firefox allows those browsers to block certain URLs such as www.phishcompanyx.com/creditcard. Unfortunately, if the URL is www.creditcard.phishcompanyx.com (a sub domain) it is not going to get blocked. This is a serious problem. Phishers have created thousands of these sub-domains, and thus are avoiding one of the most common ways to combat phishing,” Mather said. Luckily, steps are being taken to address this. Microsoft’s IE7 (Internet Explorer 7.0) allows brand owners to send what is essentially a “wildcard” such that phishcompanyx.com can be blocked, no matter what occurs earlier in the URL. Brand owners are starting to take advantage of this, which should help mitigate the problem with multiple sub-domains.

Another common tactic is the use of Trojans. The APWG defines phishing-based Trojans as crimeware code designed with the intent of collecting information on the end-user in order to steal those users’ credentials. Phishing-based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions and online retailers and eCommerce merchants) in order to get specific information, the most common are; access to financial based Web sites, eCommerce sites, and web-based mail sites.[11] Rather than a phishing attack that spoofs an e-mail and asks users to reply with details, a Trojan imbeds itself onto the machine and takes the information it wants as the user types it into their machine. Trojan programs are becoming more and more prevalent as criminals concentrate their efforts on the Internet and send e-mails linked to malicious Web sites rather than infected mail.

Rockphish attacks are a relative newcomer to the phisher’s repertoire, and like sub-domain attacks, they are effectively finding ways around blacklisting and many anti-phishing tools. Rockphish attacks utilize “multiple phishing scams targeting different banks placed on the same Web server. Each individual scam page is assigned to an Internet sub-domain that for a short time is tied to an Internet address of a compromised computer that the phishers control. When a would-be victim clicks on a link in a Rockphish scam, they are routed through the drone PC to the correct scam page, depending on a special code specified in the e-mailed link.”[12] Sutton noted, “In the latter part of 2006, HSBC saw a dramatic rise in the number of phishing attacks within the industry, partly attributable to the use of “Rockphish” techniques which deploy networks of phishing sites on compromised servers. Over 2500 phishing attacks targeted HSBC entities last year, a huge increase over the 150 we saw in 2005.”

Fortunately, consumers are becoming savvier about phishing and many are changing their online behavior in order to protect their personal and financial information. On the downside, some consumers are opting not to complete online transactions for fear that their personal information may be hijacked. While this helps prevent successful phishing attacks, it harms the overall Internet experience and prevents legitimate businesses from offering efficient solutions to customers online. Over a quarter of online consumers site that concerns about phishing have caused them not to apply online for a financial product.[13] In addition, a 2005 Consumer Reports survey found that 9 out of 10 American adult Internet users have made changes to their Internet habits because of the threat of identity theft, and of those, 30 percent say that they reduced their overall usage. Furthermore, 25 percent say they have stopped shopping online, while 29 percent of those that still shop online say they have decreased the frequency of their purchases.[14] The loss of consumer trust is a serious issue for companies. Closing the current “trust gap” that has been created by phishing is an important step for brand owners to take in order to avoid losing online business as a result of these schemes.

Much of the burden of fighting this issue is placed on the shoulders of brand owners. According to Sutton, “The Internet is our online shopping mall - but the nature of the Internet means it is more difficult to police and protect consumers. Adversely, it is a playground for criminals. As fraudster’s techniques continue to change, we need to continually improve our detection capabilities, incident response coordination and sharing of analysis between industries and law enforcement groups,” he said. To combat phishing, it is important to employ a robust monitoring and take down solution, as well as proactively speak with consumers and provide secure and trusted avenues for interaction.

Quickly identifying spoof sites or phishing e-mails is very important in combating phishing attacks. Sutton notes, “Early detection is vital and various tools or third-party services are available to assist companies in detecting attacks (monitoring SPAM, suspicious domain name registrations, web content, IRC channels, etc.).” Many firms are currently working to improve early detection in order to take down phishing sites as soon as possible. According to Mather, “MarkMonitor is using new early detection strategies including getting lists of newly registered domain names daily to find new domains containing “bank” or “account update”, for example.” This proactive step can provide brand owners with the ability to identify these infringements earlier and take action sooner than was previously possible. The Sophos Security Threat Report 2007 noted that a growing number of organizations in the United States are falling victim to Web site attacks and urged businesses and web users to boost security to protect against scams.[15]

Enforcement can be challenging and getting sites taken down requires a great deal of both financial and human resources. “HSBC’s global footprint has its own benefits when it comes to taking down spoof sites, relying on established relationships with network providers and law enforcement agencies to suspend fraudulent sites quickly to minimize the exposure to consumers and risks to the company,” said Sutton. There are third parties such as MarkMonitor, Cyveillance, and RSA that can be used to outsource this activity.

In order to ensure more effective investigation and prosecution of phishing, it is important that law enforcement authorities receive appropriate training on phishing and investigative techniques so that phishers are more readily caught and prosecuted for their illegal activities.[16]

Future trends in fighting phishing and current best practices demonstrate that more proactive approaches are needed in order to effectively combat these schemes and bridge the consumer trust gap that currently exists. Companies should continue to work towards the development of new technology and ensure that the most up-to-date software and programming are in place. Microsoft’s newly debuted IE7 is one example of recently released technology that attempts to tackle phishing head on. Previously, phishing sites were blacklisted only once a site was detected. The re-tooled IE7 will analyze Web pages looking for common tricks used by phishers. It will offer an opt-in anti-phishing feature that uses color codes to alert users to questionable sites before they visit them.

It is vital that companies educate their consumers directly in order to prevent them from falling victim to phishing schemes and avoid brand dilution before it has had a chance to occur. Educating consumers is a two-fold process. Companies must inform consumers of the standard approved format used in official communications. This includes notifying consumers that e-mails requesting updated personal information and links that direct consumers to sites asking for personal information are not standard practice and should be immediately reported and then deleted. It is also beneficial for companies to remind consumers that by taking personal responsibility for their computers and updating the OS (operating system) patches, anti-virus software and anti-spyware software installed on their machines, they can protect themselves from being attacked.

In addition to utilizing improved technology and undertaking consumer education campaigns, brand owners should acknowledge the risk to their consumers and ensure that they are provided with adequate support in the aftermath of an attack. Once a consumer has been phished under the auspices of a particular brand, they may be reluctant to do business online in the future. This impacts e-commerce services as well as online public services such as e-government. The ways in which a company reacts to phishing attacks on their consumers can go a long way in restoring trust in a company’s online offerings and can help re-strengthen the brand in the mind of the consumer. 

Other measures that companies should consider include supporting stronger legislative frameworks to combat Internet crimes and binational and national coordination.[17] Several government bodies, including the U.S. Department of Justice and the Canadian Government, are reviewing existing legislation to ensure that loopholes are eliminated and language specifically addressing the illegality of phishing is included. While there are current laws in place such as the CAN-SPAM Act that can be applied to phishers, legislation that addresses the issue more directly is needed. By taking an active interest in current legislation and how it should be amended, brand owners can affect the prosecution of phishers and help determine who is ultimately held responsible for damages to the consumer. A number of coordinating bodies exist to address identity theft, including the Binational Working Group on Cross-Border Mass Marketing Fraud and United Nations Crime Commission Intergovernmental Expert Group on Fraud and the Criminal Misuse of Identity. They can be extremely useful in coordinating efforts to address phishing on a larger scale. Keeping abreast of the work being spearheaded by these groups can give brand owners a better understanding of the current landscape and allow them to weigh in on this very important issue.

Phishing is a global issue brought on by the global nature of the Internet. Waging a more effective war on phishing and adequately protecting brands requires coordinated efforts on the part of companies across industries, law enforcement agencies and ISPs. It is up to those with an interest in e-commerce to ensure that e-crime remains high on the agenda for governments and law enforcement. Proactive preventative measures, smarter tools and software and widespread consumer awareness are vital as well. As progress is made in these areas, it is hopeful that consumers will be less likely to take the phisher’s bait, online marketing can safely continue to thrive and further dilution of brands can be prevented.