Pull the strings

While social engineering attacks are not a new thing, the increased sophistication of threats such as phishing, has meant there are lucrative opportunities for cyber-criminals. Educating users is an important factor, but there are technological methods to counter such attacks.

  • E-Mail
By  Alex Ritman Published  September 3, 2006

|~|strings200.jpg|~||~|In the early days of online social engineering attacks, the attempts by fraudsters to phish for credit card details were not sophisticated. Emails were often badly written and website addresses were often simply IP addresses rather than domains; it did not need a particularly trained eye to spot that something looked dubious. But in recent years the situation has changed. Individuals are increasingly being attacked by extremely complicated and well-put together phishing scams, sending them to websites that look identical to those of banks or other organisations, and encouraging them to enter passwords and user names. Between May 2004 and May 2005, approximately 1.2 million computer users in the US suffered losses from phishing totaling around US$929 million. According to reports from the Anti-Phishing Working Group, the number of phishing reports grew by 34% from May 2005 to May 2006. While documented phishing cases from the region are low, it is clear that the Middle East is not immune from attacks. Most industry experts agree that as the adoption of services such as internet banking and other online systems increases, organisations need to protect themselves sufficiently, and be aware of the different threats they could face. One of the more complex frauds uses Trojan Horse software, or spyware. These pieces of malware can wait for you to go to your real online banking website, and then activate a key logger, stealing user names and passwords before they are encrypted for travel over the network. “That way they don’t have to go to the effort of setting up a bogus website,” says Graham Cluley, senior technology consultant at Sophos. “We’re seeing an awful lot of those being written all the time, hundreds every month are coming out. There are little cottage industries in places like Brazil; that’s a particular hotbed.” As if there weren’t enough specialist words loitering around in the already acronym-heavy IT industry, social engineering attacks have spawned several dictionary updates. Vishing – phishing via voice – is one of the latest. These are email campaigns that build on the fear of phishing attacks, claiming that because of such bogus email messages, you should ring the number provided to confirm your details. ||**|||~||~||~| “They give a phone number, and when you ring that, it sounds like the switchboard for Paypal or an online bank,” says Cluley. So basically, rather than recreating a website, the phishers have duplicated the switchboard system, so duped users type their pin numbers and account details in via their phone, straight into the criminal’s computer. “It’s big business, they make lots of money. “There have been people who have made millions, and we’re beginning to see more arrests and convictions, but I imagine a lot of them are getting away with it.” A more direct route for phishers is using a method known as spear phishing. Rather than blast out a phishing email to hundreds of thousands of random people, this practice sees it sent it just to members of a particular company, for example. It could be sent to employees claiming to be a message from the human resources department, asking them to update their financial details for future payments, but sending them to the phisher’s link. “Because it has come internally, people might be more confident,” warns Cluley. Often the purpose of spear phishing is to collect computer account passwords so that the company’s network can be hacked to collect business and personal information. Cluley says that educating people goes a long way, on top of having a decent spam and virus blocking solution. “The basic rule is: ‘don’t reply, don’t try, don’t buy’. Every time you respond to one of these emails, you’re encouraging them to do it more.” Abdul Karim Riyaz, regional director for Computer Associates’ storage and protection business in the EMEA Eastern markets, agrees, saying that the training of staff is extremely important. “Prevention is always better than a cure. Hence the focus must be on how employees and individuals do not fall prey to such techniques. The only way this can be achieved is through training. “Employees must be trained on the common social engineering tactics, importance of personal as well as company information and how to classify this information based on its confidentiality, as well as the rules & process around the sharing of such information.” But Tamer Gamali, chief information security officer at the National Bank of Kuwait, argues that while this is a good start, education is not enough. “You’ve got to look at the statistics. Someone who is going to carry out phishing can very cheaply send out 100,000 emails. He knows that there’s going to be one or two that aren’t going to be aware, so they will click on it.” Cluley acknowledges this view, and points to the fact that phishing email levels are rising, meaning that people must be falling for them. “You only need one or two people to fall for it and you’ve easily covered the cost and the effort. It’s the same issue with spam. If it didn’t work, people wouldn’t send it out.” ||**|||~||~||~|Microsoft has joined those looking to reduce the effects of phishing, and its forthcoming Internet Explorer 7 web browsing software will feature a simple tool that will make users aware of possible risks. According to Bahaa Issa, corporate communications manager for Microsoft Gulf, the anti-phishing tools within IE7 will search for known phishing sites, and carefully search the domain you are opening. “When you type in a domain, the phishing indicator starts looking at the content and if it has any links to any other domain. For example, if you go into cnn.com, it sees that there is a link to cnn.com/sport. It kind of does an authentification. while you are opening up the first page, and if it is a phishing site, then an alert will show.” The system grows in strength as it learns further phishing sites, and through users reporting domains, but Issa admits that while it is a great help, it does not assure security. “All we say is that you cannot be safe, but can be secure. We work on it as we go, we will always carry on improving to match the scale of the security.” Mozilla’s new web browser Firefox 2 (code-named Bon Echo) also includes a form of anti-phishing technology that checks domains against a list of known phishing sites. Sophos recently conducted research among the international business community, and discovered that 58% of people asked said they received at least one phishing email every day, and 22% put this figure at more than five. “What’s interesting is that the hackers aren’t targeting the banks so much, they actually go for the global brands, things like ebay and Paypal,” says Cluley, who adds that online auction house and the online payment system it owns account for 75% of all phishing emails Sophos has seen this year. But banks are still targets and are equally aware of the importance of reputations and the damage that can be done through attacks like phishing. Gamali says that one of the solutions is using technology that allows for mutual authentication. One of these methods uses technology from a company called PassMark that utilises a photo. “When you register on the system, you upload your personal image to the website, and during the authentication process it will verify who you are first using whatever method you set up, and then it will verify back to the user with the personal image.” One good policy that most banks have adopted is to never send out any correspondence that asks customers to submit personal information, and many have sent out letters explicitly pointing out this fact so that people know. But when the bank wants to send out marketing emails, the image mutual authentication solution can be used to good effect. “As mail goes out the system can look at the recipient and then grab their personal images from the PassMark server as its sending the email out so that each arrives with its personalised image. Or it will have a link in there, which will take the user to their personal image on the server.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code