Phishing used to be mainly a threat to the technically unsophisticated consumer. Phishers broadcast messages purporting to be from major banks and online businesses such as eBay and Paypal, giving the recipients some story about suspicious transactions or security checks to lure them to fraudulent Web sites where they might unwittingly give away personal information.
Phishing attacks are obvious nine times out of 10 because they claim to be from someone the recipient doesn’t even do business with. Even when they come from businesses you have accounts with, many phishing attacks are pretty easy to spot.
But phishing is getting more sophisticated. The latest variant, called spear phishing, targets small groups such as employees of a particular organization. Phishers could be trying to dupe your users into giving away information that will let them break into your company’s systems. And the volume of phishing is still increasing. Symantec Corp. says it saw a 90 per cent increase in phishing e-mails in the first half of 2005.
Clemens Martin, director of IT programs and the Hacker Research Lab at the University of Ontario Institute of Technology, recently gave a demonstration of spear phishing. Users receive an e-mail claiming to be from the company’s IT department and formatted exactly like a real e-mail from IT. It says everyone has to change their passwords. In the e-mail is a link to what appears to be an internal Web site. Users click on the link and see a screen asking them to enter their old passwords, then to enter new passwords. Everything looks above board.
But the real destination of the link is not what users see in the e-mail — though it is real-sounding enough that those who spot the difference may still be fooled — and the Web site is a spoof hosted somewhere outside the company.
When a user falls for it, the phisher captures his or her user name and password, which can then be used to gain access to the company’s systems.
With scams this sophisticated, fighting phishing is no longer just a matter of warning your mother to be careful about e-mail messages claiming to be from her bank.
America Online Inc. is active in the anti-phishing war, and Alex Leslie, vice-president of technology at AOL Canada, offers some insight into anti-phishing tactics.
One trick is to monitor new domain registrations, looking for names that sound suspiciously like those of established companies and might be used for phishing. Anti-phishing organizations also have software that crawls the Web much as search companies crawl it looking for sites to index — only they look for sites that look like phishing sites. AOL blocks members’ access to sites identified as phishing fronts.
Now that corporate users are phishing targets, IT departments will need to start implementing their own defences — probably working with anti-phishing companies — as well as user education, which ought to start now if it hasn’t already.
Grant Buckler is a Kingston, Ont.-based freelance writer.