CERT Says Phishers Get Craftier

US-CERT yesterday warned enterprises and consumers to be on their guard against increasingly sophisticated phishing attacks, prompting a call for banks to lock down their storage systems. (See Time For ID Lockdown.)

The attacks, which use bogus emails to lure unsuspecting users to fraudulent Websites, are becoming ever more complex, according to Jason Milletary, a security expert at CERT. In a statement, Milletary warns of an increase in attack diversity and technical sophistication by the people conducting phishing and online financial fraud.”

CERT also warned that phishers are using more malicious code to target users’ account information. “Just as with real fishermen, phishers today have a large tackle box of tools available to them,” Milletary says.

Vit Kantor, vice president of consulting firm Spectrum Systems, which works with a number of banks on security issues, warned that the financial sector has got a real fight on its hands. “It’s becoming more and more difficult to discover that something unsavory is going on behind the scenes.” As well as making their fake Websites more realistic, Kantor adds that phishers are getting better at redirecting Web browsers to their bogus sites.

But the exec believes that banks need to do some serious thinking about the impact of say, stolen passwords, on their back-end storage systems. “It’s absolutely crucial,” he says. “There should be risk management policies in place that address the entire infrastructure, not just user authentication.”Banks, according to Kantor, should deploy database access and monitoring software to check up on who is trying to get hold of back-end data. “There should be a mechanism to enforce proper access to internal resources.”

A North Carolina-based IT manager at a major U.S. bank, who asked not to be named, says his firm has already taken steps to address this issue by effectively isolating its storage systems. “The storage networks are not reachable from the outside,” he explains. “We don’t even allow [third-party] vendor laptops to plug into our network.”

Crucially, he says, customers don’t have direct access to the storage network either. This means that, even if a password is compromised, the risk of further data loss is minimized.

The IT manager adds that many banks are now focusing their anti-phishing efforts on their online banking customers. Banks are looking to push what is known as “two-factor authentication,” towards consumers.

This requires customers to use both a password and what is known as a “hardware token,” to access their online accounts. Hardware tokens, such as RSA Security’s SecureID Token, are already used for authenticating users in a number of industries.The IT manager explained that his firm’s staff, for example, already uses a combination of RSA’s SecureID Token and traditional passwords to access some of the bank’s highest security systems.

Security giant Symantec recently highlighted the sheer scale of the phishing challenge facing banks. In the first six months of 2005, it reported, the volume of phishing-related messages rose from 2.9 million to 5.7 million a day. (See Symantec Fleshes Out Phishing and Symantec Issues Report .)

But Kantor warns that, in the future, phishers are going to take an even more focused approach to their scams. “The next trend that we’re seeing is phishers targeting small, high-value groups,” he says. “That could be, for example, high-value customers of commercial banks.”

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article: