Executive Conversation: Attacking the Phishing Threat - What Every Company Needs to Know
by Melisa LaBancz-Bleasdale - Monday, 9 August 2004.
It is also recommended that companies take a good look at their email infrastructure. Is it reliable? Does it have filtering capabilities? The APWG is seeing companies get overwhelmed with sudden bounced messages when a phishing attack occurs. It’s similar to an email denial of service attack. If a phisher launches an attack on millions of users and over one million of those addresses bounce back as invalid, overwhelming mail servers and taking them out of service, a company needs to enact filters to keep the attack from taking the server off line.

A sudden influx of bounced messages that a company did not initiate should indicate that a phishing attack is taking place somewhere in their name.

“A company needs to be able to monitor email bounce-backs. This is where a company can practice vigilance. You need to have a response plan and know what to do when this occurs. If you’re an online bank, are you going to turn off online banking for a couple of hours? Are you going to look in your web logs and track account access? Will you notice that suddenly all of your customers seem to have moved to Russia?” Asks Jevans.

“If you do business online and it’s an important part of your operations, it’s critical that your online channels aren’t compromised. It’s up to companies to make sure that they have the proper response plan and technologies in place before it happens. One of the trends that the APWG is has seen is that once phishing attacks start happening, a company continues to be a target of these attacks. This is primarily due to the work involved in setting up a sophisticated spoof. If it works once, a phisher will do it again and again, and then post the information on hacker websites or trade the information with other phishers.”

Unfortunately, there are many websites that provide phishing templates for hopeful spoofers. Though the process should be illegal, as Mr. Jevans points out, “It’s not illegal to have hacking tools, but it’s illegal to use them. If there is a copy of a phishing template out there that’s not being sold, one, how are you going to track who initiated the template, and two, there are fair use laws surrounding free downloadable copies. Another thing to consider is that most of these sites aren’t hosted in the U.S anyway. We know where the websites are. Many websites and chat rooms that are used for setting up attacks and exchanging or selling credit card numbers are known. They’re in countries where that practice isn’t illegal and where we have no U.S. jurisdiction. There’s a lack of cyber-crime cooperation with those countries,” Jevans explains.

The bottom-line question is whether or not the phishing problem will ever go away. Jevans responds, “Yes, and that brings me to the last thing that companies should do, and where the industry is going. The industry appears to agree that a large contributor to the problem is that you can freely spoof email addresses. There is the ability to spoof any email address you want, and that’s why people are getting emails that say ‘billing@aol.com’ or ‘support@Microsoft.com’. etc. If we can stop the spoofing of email, that should largely address the phishing problem and will be a key cornerstone to getting a handle on spam. Most spam comes from spoofed email addresses and you can’t block them.”


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th