Identity theft from phishing and pharming attacks is one of the biggest problems computer users face. It can take ID theft victims four or five years to repair the damage, according to financial consultants.
“The most prevalent ID theft threat is the phishing attack, and it is getting worse. Attacks are larger and are more frequent,” Peter Schlampp, senior director of product management for Internet security firm IronPort Systems, told TechNewsWorld. “From our view, the major security hole is the anonymous nature of the e-mail protocol.”
Business analysts estimate that U.S. consumers lost US$2.4 billion from online fraud scams in 2003, with most fraud carried out by people obtaining access to account numbers and passwords. One major corporation reported receiving more than 1,400 phishing attacks in June 2004. Other surveys report that more than 57 million consumers think they received phishing e-mails last year.
Phishing Versus Pharming
Recently, high profile identity theft attacks hit DSW Show Warehouse, ChoicePoint and LexisNexis.
“Clearly, online security is at a nexis point,” said Mitchell Ashley, CTO of StillSecure, a provider of computer network security software.
Phishing is a scam designed to get e-mail recipients to disclose sensitive personal information such as log-on details and account numbers. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing is based on long-established forms of social engineering. Most phishing schemes use messages delivered in e-mail documents that look like they come from real companies or from valid electronic addresses. Some phishing attacks use malicious Web sites to solicit personal, often financial, information.
Pharming attacks trick users into being redirected to a look-alike Web site. Pharming is very much akin to domain spoofing.
Unlike phishing attacks, pharming victims do not have to click on a link in an e-mail message to activate the attack. Pharming victims do not even realize that their Web browser has been tricked into seeing a false URL as the intended Web site.
This happens because the attackers succeeded in infiltrating the domain name server, or DNS. The DNS stores the actual numerical equivalent of a Web site address. For example, when a Web surfer enters www.technewsworld.com into a browser, the DNS interprets that common name and changes it to the actual Internet Protocol (IP) address that consists of numbers and periods.
“Phishing is still happening at alarming rates. Phishing especially occurs as spyware attacks with keystroke loggers as the primary method. This is much bigger in the corporate environment now,” StillSecure CTO Ashley said.
Combating ID Theft
Jordan Cohen, director of ISP and government relations for Internet communications company Bigfoot Interactive, could not agree more about the dangerous proportions of ID theft on the Internet.
“The main concern is no longer about spam. It is about being protected from ID theft,” Cohen told TechNewsWorld.
Some Internet security experts said the best way to defend against these threats is to adopt a layered security approach. Layering protection protects five key access levels within an IT environment. These include the perimeter, the network hub, the host file, the network application and the stored data.
Within an enterprise environment, protection should include intrusion detection and prevention (IPS) software, as well as vulnerability management software. Another essential security component, according to experts, is an endpoint compliance policy used in conjunction with a hardware firewall, antivirus software and a Virtual Private Network.
IT managers must conduct an overall assessment of network risks, monitor networks for attacks and block identity and data theft before they can be completed.
According to Ashley, layered security approaches are more reliable than methods that just address network end points.
“Our own study earlier this year showed that most companies are now aware of the need to bolster their perimeter network defenses and have various protections in place,” he said.
Being aware of that need and actually fulfilling it might be the crux of the security solution. Cohen said some companies are still waiting until they are attacked before seeking better network security.
StillSecure’s Ashley sees the newest ID theft threats coming from two sources. One is the open vulnerabilities in the computer and vendor communities from unpatched systems. As long as people continue to use the Internet without applying the security software patches from Microsoft and other software vendors, computer users will remain potential attack victims.
The other source of ID thefts is the constant stream of variants from existing attack worms such as Saser and Mydoom. Computer systems that are already compromised continue to be used to carry out new directions and overtake other unprotected computers.
“Hackers are taking cold code and updating it to find new security holes,” Ashley said.
J.T. Keating, vice president of marketing for Whole Security, describes the process as a digital cat and mouse game that will continue forever. Obviously, there are enough new computer users who are uneducated enough about computer security issues to keep these processes working.
“Existing worms are now being used to launch new attacks,” Keating said. His company provides software products to product computer users against various forms of online fraud.
In some cases, the hacking community seems to be playing one strain of virus against another. Each new generation of rogue code tweaks the accomplishments of earlier generations, especially with worm infections.
Keating noted that phishing attackers are getting impressive with their successful use of social engineering. Using familiar approaches like, “You’ve got pictures” in the e-mail message’s header or body lets attackers easily dupe e-mail recipients to click on links that infect their computers.
Trust No One
StillSecure’s Ashley does not want IT managers to trust anyone’s hardware until it is proven friendly. That is what guarantees protection against ID theft.
“Treat all devices in the network as unfriendly until they are tested otherwise. All devices are potential security risks,” Ashley said. “Gone are the days that network managers could say, ‘I own it so it is safe’,” he said.
The trust factor is critical in protecting against identity theft on the Internet. Even digital security certificates have to be examined to make sure they have not been compromised by an intrusion.
There are both personal and geopolitical levels motivating attacks in the new technology cold war, Ashley said. Thus, corporate providers have an obligation to protect customers, employees and data.
“That is where intrusion detection security is headed, and government regulations are pressuring the industry to concentrate on better protection,” he said.
Fighting the Fight
Whole Secure’s Keating equates the products his company markets with tools usually associated with law enforcement.
“We use the term crimeware to describe the motivation and the transition for computer attacks from vandalware,” he said.
Vandalware is virus attacks whose purpose is simply to inconvenience the victim. The purpose of crimeware to steal from the victims.
Ashley described one of the fastest growing sectors in the Internet security market as focusing on security assessment on end client devices. Products are available from his company and others that install software agents to monitor for intrusion activity. This type of product is useful where the endpoint is controlled by the corporation.
The latest push, he said, is to build in protection for endpoint connections that are not controlled by the corporation. These can take the form of an agentless direct connection device or a browser plug in that talks to the network to ensure security.
“The cool thing is that anyone connecting can be tested and assessed. If not approved, then the connection is quarantined,” Ashley said.
According to IronPort Systems’ Schlampp, what the computer industry needs is something like a Caller ID system for e-mail. Without one, e-mail senders can offer whatever bogus identities they want.
Two new developments might eventually help make e-mail more secure. SenderID helps to authenticate the source of the message.
Developed by Microsoft and its industry partners, the Sender ID Framework is an e-mail authentication technology protocol. It addresses the problem of spoofing and phishing by verifying the domain name of the e-mail’s sender. It does this by verifying the IP address of the sender against the purported owner of the sending domain.
The newest proposal for more secure e-mail is being driven by Yahoo. Known as Domain Keys, the authentication process gives e-mail recipients full disclosure on the source of the messages they receive.
Bigfoot Interactive’s Cohen said the computing industry is starting to come together over authentication protocols.
“Vendors and ISP’s have to get together to help users separate good e-mail from bad,” he said.