​

As a soldier in Vietnam from 1967 to 1968, one of Jack Wiles’ main duties was defusing bombs. Now, as an IT security consultant, he “defuses” cyberthreats. He says that while phishing e-mails aren’t life threatening, they can be the catalyst for financial and system damages—and he’s developed an almost instinctual sense of when not to open a message.

Signs that an e-mail could be a phishing scheme might be that the message asks for sensitive information, contains a link or an attachment, calls for immediate action, or arrives unexpectedly, says Wiles, who is president and cofounder of The Training Co., a Charlotte, North Carolina-based IT consulting firm. The message also may appear to come from a known establishment, such as a financial institution, even though most people now know that banks won’t ask users for confidential information that way.

But just as the enemy in war learns to adapt, phishers have adjusted their tactics, making their e-mails harder to spot. As a result, companies must do more than run traditional antivirus scans and educate employees. Their countermeasures must evolve to keep pace with the enemy’s new attack formations.

Type of Attacks

In the past few years, there’s been a shift away from mass e-mails toward far more targeted messages. Sometimes called “whaling” e-mails or “spear-phishing,” such attacks frequently target high-level executives and contain personal information, such as executive and company names, addresses, and phone numbers. While phishing is manageable, “targeted phishing is a much harder problem,” says Stephen Northcutt, president of the Bethesda, Maryland-based research and training-oriented SANS Institute.

Targeted e-mails reached a new high in April and May 2008, according to Sterling, Virginia-based iDefense Labs, a VeriSign research unit. Between February 2007 and June 2008, there were at least 66 unique attacks, with about one-quarter occurring in April and May. The attacks successfully stole information or compromised computers in more than 15,000 cases in the 15-month period.

One attack was aimed at high-level executives and appeared to contain a subpoena from the United States District Court in San Diego. Each message included the executive’s name, company, and phone number and commanded targets to appear before a grand jury in a civil case. An embedded link claimed to lead to the subpoena but instead led to a page that automatically downloaded a keylogger.

Only 40 percent of commercial AV programs were able to recognize the malicious programs, according to iDefense. About 2,000 computers were compromised in the aforementioned attack, according to the Internet Storm Center, a network security organization run by the SANS Institute.

While spear-phishing is becoming more common, mainstream attacks shouldn’t be discounted. If attackers can install malware on just one company computer, they could glean important information or gain the foothold necessary to launch further attacks. “It’s the fringe attacks you need to watch out for,” says Ken Steinberg, CTO and founder of Savant Protection, a Hudson, New Hampshire-based application control software vendor.

In some cases, the e-mail doesn’t contain the malware, but it directs or lures recipients to a fraudulent Web site where they will be tricked into providing personal information or downloading malware. Alternatively, malware will be surreptitiously placed on their computer.

Social engineering. Along with technological traps, phishers typically rely on social engineering. They tend to focus on a few kinds of human vulnerabilities, according to William Pelgrin, director of the New York State Office of Cybersecurity and Critical Infrastructure Coordination.

One is trust, which can be achieved when phishing e-mail appears to come from a familiar organization. Phishers are learning to make their e-mails look more legitimate. Some messages now include genuine html logos. Others take advantage of the ease with which senders’ addresses can be spoofed. And of course, phishers engender trust when they target the attack by using personal information.

Another way to social engineer is to use shock value so that people react before thinking, such as when the executives were told they were being subpoenaed, for example. “Such e-mails can take advantage of how busy we are,” he says.

The simplest trick of social engineering is just to be chatty. In one example of social engineering that occurred several years ago, an attacker spoke at length with a technical support specialist at Dulles, Virginia-based America Online. During the conversation, the hacker casually mentioned that he wanted to sell his car.

When the technical assistant expressed interest, the hacker sent an e-mail with a picture of the car. The picture also contained a backdoor exploit that opened a connection through the company’s firewall. Approximately 200 customer accounts were compromised.

More malicious. In addition to attacks becoming more targeted and using social engineering, the malware contained in phishing e-mails is also growing more sophisticated. Many malware writers test their products against multiple commercial AV programs before releasing them, says Steinberg.

When phishing scams involve attachments, bad code can be hidden in programs such as Excel or Microsoft Word or in pictures. Many of the attacks in the iDefense study sought to install a full version of the Apache Web server, a popular Web site management solution, on victims’ computers.

Many of the e-mail attachments described in that study included a keylogging program capable of capturing passwords. Other attacks described in the iDefense report sought to download a Browser Helper Object. It would detect Secure Socket Layer encrypted sessions and capture keystrokes input into a dialogue box before the information was securely transmitted.

Cost. Money lost from phishing scams totaled $3.2 billion in 2007, a record high, according to a Gartner report (2008 numbers aren’t available.)

But what is the price of this phishing to specific sectors? It’s difficult to nail down. Researchers from Garner and the University of California, Berkeley, studied Federal Deposit Insurance Corporation bank-reported data on phishing attacks from early 2005 to mid-2007. The regulatory reporting was unreliable, according to Gartner analyst Avivah Litan, and “impossible to draw any conclusions from.”

Part of the problem is that many incidents go unreported. In some cases, fraud affects many disparate parties, even long after an initial incident. Last year, for example, Salesforce.com, a San Francisco-based IT vendor, wrote a letter to its approximately one million customers warning that they might have been targeted by phishing attacks. The warning was sent after the company learned that a large group of its customers had received bogus invoices via e-mail that looked like they came from Salesforce.

The company’s customers had been targeted, the letter explained, because a Salesforce employee had fallen for a phishing message, which resulted in his providing an attacker with a corporate password leading to a database full of customers’ personal information. Saleforce said it was taking steps to boost “awareness, education, and technologies” at its company.

Solutions

In the fight against phishing, everyone has a role to play. For companies, three primary goals should be education, new strategies to combat e-mail scams, and new ways to contain the spread of malware. Following is a look at some emerging practices and software solutions that are proving to be effective.

Awareness training. Most corporate e-mail gets filtered through antivirus scanners, but as already noted, such scanning only catches some phishing e-mails. That’s why experts stress the importance of staff education. “It’s not about the IT department but the person at the keyboard,” says Pelgrin.

Experts advise organizations to remind employees about risks and protective measures at least a few times a year. But these abstract reminders can only achieve so much.

To make the awareness training more effective, some organizations now send employees fake e-mails designed to see who can be fooled. Various programs exist that can help companies with this type of training.

One program is an online application called Phishme, launched by New York-based IT consulting firm Intrepidus Group. A Web-based portal, requiring no software installation, the system is based on a program Intrepidus has used with clients for several years. Companies can use Phishme to automate the sending of mock messages to employees.

When customers first sign into the portal, they estimate the number of mock emails they want to send to staff, along with the number of testing rounds they’d like. They can then choose from a number of phishing templates, or they can work with Intrepidus staff to design their own version, says Aaron Higbee, Intrepidus CTO. Templates are based on themes such as 401K plans, amusement park tickets, and the previously mentioned subpoena deliveries.

Customers choose the domain name of the Web site they want the e-mail to appear to have come from. Intrepidus has registered numerous domain names, says Higbee. Many take an existing company and add an appendage. For example, Phishme might take a bank or insurance firm name and add a dash followed by an add-on, he says.

With Phishme, employees who are fooled by the fake phish and click on an embedded link end up at a Web site that contains an explanation of the test, noting that it was authorized by the company. The Web site also gives employees educational material.

Client companies design what employees will see on the Web site. One template shows employees a straightforward list of what to watch out for. Companies can also ask for an Intrepidus-written phishing

comic strip.

Once an awareness campaign with fake phishing e-mails to employees has been launched, client companies can log into the portal to view real-time metrics measuring statistics, including how many employees opened the messages and how many clicked on links. Phishme does not collect data about the employees themselves, however.

About 60 companies were piloting Phishme when it was introduced, says Higbee. The price of the service depends on the number of messages sent as well as the level of detail involved in the employee exercises.

One of the largest mock phishing exercises occurred several years ago in the New York state government. Pelgrin, like other IT security professionals, had educated his staff on phishing through human resources materials, e-mail bulletins, and other means, but he thought the exercise would make more of an impression. To design the exercise, he put together a team consisting of several of his staff as well as others from the SANS Institute and the nonprofit Anti-Phishing Working Group.

The first test, launched in mid-2005, targeted about 10,000 employees. The messages appeared to come from Pelgrin’s office, but it had a slightly different sender address. The e-mail asked users for their passwords, saying that the company wanted to test their strength.

The request for this confidential password information and the use of the wrong sender address were two clues that the e-mails were phony, says Pelgrin. Nevertheless, about 15 percent of the recipients fell for this first test, trying to respond to the message and give their password.

Employees who attempted to reply by clicking on the link embedded in the email were sent to a Web page set up by Pelgrin, where they learned that the email was part of a training exercise. Also on the Web site were educational materials including a video and slides depicting 10 e-mails. Employees were asked to indicate whether or not they would open each of the e-mails. Test takers later received their score and an explanation about why an answer was right or wrong.

About a month after the first test, Pelgrin launched another round of fake emails. This time, only about 8 percent of recipients were snared, which Pelgrin says reflects the training’s effectiveness.

From the start, Pelgrin says, he wanted the tests to be about learning, not blame. Commissioners at all participating agencies reviewed e-mails and documents before the exercises. As with the new Phishme solution, no information was gathered about the employees involved; only aggregate data was gathered. After the second test, however, employees who ignored or deleted the e-mail received a personal congratulatory e-mail from Pelgrin. He says that his office did not receive many complaints about the nature of the tests.

The tests not only helped educate employees, says Pelgrin, but they also helped New York state hone its educational message. He says his office was planning another round of e-mails. The office is also building a computer-based program to be used throughout New York and to be available to any other state and local governments.

Spam filters. In addition to education, companies can take advantage of nontraditional spam-filtering methods. An example of the latter includes challenge-response applications.

Several years ago, Wiles, for example, says that he was receiving about 1,000 emails a day, about 950 of which were spam. On the advice of a Web developer friend, he implemented a solution from Seattle-based Spam Arrest. While the solution has dramatically reduced spam, it’s also helped shield his organization from possible phishing, he says.

Once a company signs up for Spam Arrest, anyone sending e-mail to a person within the company’s network receives an automated e-mail reply. Senders are asked to click on a link to verify that a real person sent the message. So far, it does not appear that automated spam software is capable of clicking the links.

Senders only need to verify themselves once. While the solution won’t protect against phishing messages sent by individuals, it can guard against the more common, automatically generated variety.

Rejected e-mails are kept on a Spam Arrest server, which Wiles checks daily to ensure that he retrieves any legitimate messages that are caught in the filter by mistake. Spam Arrest offers a free 30-day trial. Several licensing plans are available, including $5.95 a month or $74.95 for two years.

If message recipients prefer the kind of “hands on” filtering offered by Spam Arrest, they also might consider tracing the origin of suspect e-mails. Looking at a message’s Internet Protocol (IP) address, located in a message’s header, or source information, is the only real way to know its origin, says Wiles.

Tracing a message’s path involves looking at the data from the bottom up, says Richi Jennings, lead e mail security analyst at Ferris Research. At the bottom, you should see a line that reads “received from,” followed shortly after by an IP address, an identifier given to every computer accessing the Internet. The format of an IP address is numeric, written as four numbers separated by periods. The originating IP should connect to the name of the e-mail exchange used by a recipient. If a recipient is using Gmail, his or her exchange could be listed as mx.gmail.com, for example.

One can then go online and enter the IP address into a “reverse lookup” service. These are offered by numerous sites, some of which continue to add functionality such as mapping and other e-mail security features. Such services can often identify the sender’s city or town as well as his or her Internet Service Provider.

Reverse lookups won’t point to the exact individual who sent the message, says Jennings, but they could help to determine an e-mail’s legitimacy. If a recipient is so inclined, he or she can report the message to the network that owns the originating server.

Distributed whitelist. Traditional blacklisting AV products are struggling to catch up with the kinds of sophisticated malware seen in many targeted phishing attacks. This is a key reason that whitelisting, a method in which an IT administrator creates a list of acceptable programs for a group of computers, is currently surging in popularity.

With most whitelisting applications, an IT administrator manages the list centrally across numerous computers. A new twist on the practice—distributed whitelisting—is emerging. Such software can stop malware from running on individual computers and keep it from jumping to another machine.

The technology could be a solid last line of defense against malware delivered via fake e-mail or other means, says the SANs Institute’s Northcutt. A few major vendors of distributed whitelisting software include New Hampshire-based Savant Protection as well as CoreTrace Corporation of Austin, Texas.

Savant’s application scans individual computers and then creates a set of cryptographic keys, or signatures, based on an algorithm that runs against each computer’s applications. The result is a set of approved signatures for that computer. Only programs that generate one of the signatures can run on that computer.

If malware were installed after this process had been completed, it could not run, because each time a program starts up, Savant first runs its algorithm against it, looks at the signature generated, searches in the list of approved signatures for that computer, and unless it finds a match, prevents the program from being executed.

Traditional whitelisting involves pushing updates out computer groups. With Savant, individual users download updates for the approved list themselves. This reduces the risk that an IT administrator could inadvertently send out an infected patch throughout an organization, according to Steinberg. IT administrators can be tricked into installing malware across numerous computers, he says.

Even though Savant lets employees download their own updates, the application includes related safeguards such as the Advisor feature. When an employee is asked if he or she wants to download an update, a box appears. It asks users if they would like more information on the downloadable file. If employees mark yes, the feature will automatically scan a handful of continuously updated Savant databases and tell the user whether any risk was detected.

The above feature is one example of how Savant combines whitelisting with a more traditional blacklisting approach. Savant also comes with several traditional AV products, including ClamWin, a free open-source product. Savant customers can run it a few times a year. New customers can use it first to check that computers are clear before installing the Savant System.

Savant doesn’t store keys in a central area, but the software’s version 2.0 assists in central management. It lets companies configure, monitor, and control computers through a Web-based interface. Policies can be configured by individual machines or across departments. Other features include centralized alerting about system changes, corporate-wide data reporting, and more malware monitoring and alerts.

Connecticut River Bank is among the companies using Savant. Louise Dube, assistant vice president of technology at the company, says that it was easy to install and that she has been pleased with its ability to “self-learn” once on desktops.

Savant takes less time to run than the AV program the company used before, and that has boosted network efficiency. Compared to an AV product, Savant does not require continuous scanning and updating, Dube says. She says that without Savant, malware delivered by e-mail and other methods would be a major concern.

Gartner’s Litan says that she expects phishing threats to increase in sophistication, and for phishing losses to continue climbing through 2009. But, she says, companies aren’t sitting still either. The battle is far from lost.

John Wagley is an associate editor at Security Management.