Executive Conversation: Attacking the Phishing Threat - What Every Company Needs to Know
by Melisa LaBancz-Bleasdale - Monday, 9 August 2004.
It is also recommended that companies take a good look at their email infrastructure. Is it reliable? Does it have filtering capabilities? The APWG is seeing companies get overwhelmed with sudden bounced messages when a phishing attack occurs. Itís similar to an email denial of service attack. If a phisher launches an attack on millions of users and over one million of those addresses bounce back as invalid, overwhelming mail servers and taking them out of service, a company needs to enact filters to keep the attack from taking the server off line.

A sudden influx of bounced messages that a company did not initiate should indicate that a phishing attack is taking place somewhere in their name.

ďA company needs to be able to monitor email bounce-backs. This is where a company can practice vigilance. You need to have a response plan and know what to do when this occurs. If youíre an online bank, are you going to turn off online banking for a couple of hours? Are you going to look in your web logs and track account access? Will you notice that suddenly all of your customers seem to have moved to Russia?Ē Asks Jevans.

ďIf you do business online and itís an important part of your operations, itís critical that your online channels arenít compromised. Itís up to companies to make sure that they have the proper response plan and technologies in place before it happens. One of the trends that the APWG is has seen is that once phishing attacks start happening, a company continues to be a target of these attacks. This is primarily due to the work involved in setting up a sophisticated spoof. If it works once, a phisher will do it again and again, and then post the information on hacker websites or trade the information with other phishers.Ē

Unfortunately, there are many websites that provide phishing templates for hopeful spoofers. Though the process should be illegal, as Mr. Jevans points out, ďItís not illegal to have hacking tools, but itís illegal to use them. If there is a copy of a phishing template out there thatís not being sold, one, how are you going to track who initiated the template, and two, there are fair use laws surrounding free downloadable copies. Another thing to consider is that most of these sites arenít hosted in the U.S anyway. We know where the websites are. Many websites and chat rooms that are used for setting up attacks and exchanging or selling credit card numbers are known. Theyíre in countries where that practice isnít illegal and where we have no U.S. jurisdiction. Thereís a lack of cyber-crime cooperation with those countries,Ē Jevans explains.

The bottom-line question is whether or not the phishing problem will ever go away. Jevans responds, ďYes, and that brings me to the last thing that companies should do, and where the industry is going. The industry appears to agree that a large contributor to the problem is that you can freely spoof email addresses. There is the ability to spoof any email address you want, and thatís why people are getting emails that say Ďbilling@aol.comí or Ďsupport@Microsoft.comí. etc. If we can stop the spoofing of email, that should largely address the phishing problem and will be a key cornerstone to getting a handle on spam. Most spam comes from spoofed email addresses and you canít block them.Ē


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th