Phishing gets its hooks in

Symantec’s latest internet security threat report has highlighted phishing as one of the most pressing dangers to network security in the region.

  • E-Mail
By  Simon Duddy Published  November 25, 2004

|~|Isaac,-Ke_m.jpg|~|“The Middle East needs an attitude shift and the answer is to have a chief security and information officer on the board or with the ear of the board. When IT departments are tasked with jobs they often don’t have clout at boardroom level and this leads to money-focused, decree-based problem-solving that often lacks effective follow through.” - Kevin Isaac, regional director, Middle East & Africa, Symantec|~|Symantec’s latest bi-annual threat report has singled out phishing as a growing and dangerous internet trend. Phishing is a hacking technique, which uses e-mails contrived to look like official correspondence from a bank or other organisation. The e-mail attempts to entice users to visit a fraudulent website and key-in personal or financial details, which can then be used to rob the unfortunate dupe. “Organised crime has moved into hacking and is using phishing to steal from people,” says Kevin Isaac, regional director, Middle East & Africa, Symantec. “The most often targeted industry segment is now e-commerce when previously it was government utilities, which shows us that commercial gain has become the main motive for attacks,” he adds. Painting a still darker picture on the phishing front, e-mail security firm MessageLabs has identified a new phishing technique that does not require users to click on a website link. When the recipient of the phishing e-mail opens the message, a script is run that attempts to rewrite host files on the user’s computer. When the user then attempts to access a bank account online he or she will be redirected to a fraudulent web site, which then captures the log-in information. To date MessageLabs has intercepted a small number of these e-mails that targeted Brazilian banks, but it is fearful that the technique will prove successful and will be used more widely. “As ever, a combination of user education and the necessary levels of technology-based protection are essential to defend against computer fraud,” says Alex Shipp, a senior technologist at MessageLabs. Users who have disabled Windows Scripting on their PCs are not at risk from this new type of phishing attack. There are a number of ways to counter phishing, from technology-based solutions to sound network practices and education. One such solution is using e-mail encryption and digital signatures. “If e-mails are not encrypted hackers can take control,” says Nabeel Murshed of Swiss security specialist, Secude IT. “But if e-mails are encrypted phishing won’t work, as it allows the receiver of an e-mail message to verify that the message is authentic, and if it is not it will show who the e-mail is really from,” he explains. As well as intercepting e-mails, it is also important to make sure that no key-logging applications have infiltrated the network. These can arrive via downloads and spyware as well as from e-mails. “Key-logging applications record keystrokes and screen shots and can be replayed later to reconstruct a user session,” says Peter Firstbrook, programme director at Meta Group. “Several organisations have lost valuable corporate information including passwords and usernames to these devices. One software company lost significant revenue when source code for new gaming software was stolen via a remote keystroke logger and posted on the internet,” he adds. There are a number of technology solutions available to counter-act key-logging applications including the key-logging filtering capability in Websense’s Master Database product. Despite technology-based counters that are available Symantec sees phishing and security in general as needing a more fundamental answer in the Middle East, where the vendor says spending money blindly has often been the recourse. Instead, enterprises should look more carefully at the way spending is decided. “The Middle East needs an attitude shift and the answer is to have a chief security and information officer on the board or with the ear of the board. When IT departments are tasked with jobs they often don’t have clout at boardroom level and this leads to money-focused, decree-based problem-solving that often lacks effective follow through,” explains Isaac.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code