Symantec Fleshes Out Phishing

Security specialist Symantec Corp. (Nasdaq: SYMC) has urged users to beware of increasingly sophisticated phishing attacks as criminals hone their skills. The vendor has also snapped up anti-phishing specialist WholeSecurity Inc. in an attempt to further combat this threat.

Dean Turner, author of Symantecs latest Internet Security Threat Report, today warned users that risks to their IT infrastructure are changing dramatically. (See Symantec Issues Report .)

Speaking on a conference call, Turner explained that attackers are increasingly motivated by financial gain. This is a far cry, he said, from “the Website defacements,” that were hitting the headlines five years ago. “There’s a shift from hacking for fame to hacking for fortune,” he says.

This trend clearly prompted the vendor to make its latest M&A foray, snapping up WholeSecurity for an undisclosed fee. The startup's software checks whether Web sites are safe, as well as analyzing the behavior of viruses and worms. Symantec claims that because WholeSecurity's software does not rely on specific virus signatures, it can also be used to tackle the menace of "zero-day" threats (see Security Approaches Day Zero).

Phishing, which uses bogus emails to lure unsuspecting users to a fraudulent Website, is gaining momentum, according to Turner. “Attacks are becoming more targeted,” he says. In the first six months of this year, Symantec saw the volume of phishing-related messages rise from 2.9 million to 5.7 million a day. “Phishing is growing simply because it’s lucrative,” Turner explains. “The FBI stated that an identity theft ring was able to net more than $2 million.”Attackers are now going after traffic like email and HTTP in an effort to circumvent sophisticated firewalls, warns the author. They also are going after smaller firms, which may not have as much security in place as their Fortune 500 counterparts. Criminals "are shifting their focus to smaller and more regional targets."

Certainly, phishing’s profile has risen dramatically over recent months, with criminals even attempting to exploit the hurricane Katrina relief effort. (See Katrina Spawns Scam Scum.) As well as mobilizing the IT industry, the phenomenon has prompted concern from the U.S. government. (See Gates Opens Up on Security, U.S.: Al Qaeda Eyeing Cyber Threats, and Something Phishy.)

To make matter worse, phishers are using new methods to trick users and get past perimeter security. A typical method is to change the images contained within phishing emails, or redirect firms to secondary URLs. This means that, even if firms’ firewalls are programmed to look out for specific URLs, an unsuspecting user could still be lured to another fraudulent Website.

To combat this, Turner urges enterprises to start monitoring their IT infrastructures for attacks 24 hours a day, seven days a week, as well as educating their staff. They need to "train employees not to open attachments unless they have been requested," he says.

But phishing was not the only Achilles heel identified by Symantec in its latest report. Turner also highlighted numerous vulnerabilities within Web applications. “They are freely available and easily exploitable. [Because] Web applications often store personal information in their database, attackers can access this without having to compromise a computer.”The fact that many businesses are supplying their employees with sophisticated cell phones is also posing a problem, according to Turner. ”Smart phones are still susceptible to malicious code threats. We feel that smart phones are more attractive to attackers than personal digital assistants.”

— James Rogers, Site Editor, Next-Gen Data Center Forum