Security Watch | Matt Hines » Outlook bleak for Phishing defeat

March 06, 2008 | Comments: (0)

Outlook bleak for Phishing defeat

TAGS: Security

Everyone from the law enforcement community, to ISPs, to the very firms whose names are being tarnished by phishing attacks is trying to pitch in and help find a solution for the problem, but prospects for decreasing the prevalence of the threats remains daunting, according to the leader of one of the most high-profile efforts to do so.

David Jevans, the chairman of the nonprofit industry consortium the Anti-Phishing Working Group (and the CEO of encrypted USB drive specialist IronKey) said in a recent interview that as the phishing problem keeps "changing and getting worse" it has become clear that there are no simple answers to the issue.

Traditional mass-market phishing is still thriving despite the best efforts of ISPs and Webmail companies to filter out as much of the nefarious spam as possible -- as phishers continue to utilize the fast-flux model to evade pursuit, and even worse, targeted attacks are growing in complexity and popularity, Jevans said.

"We see more targeted attacks, spear-phishing and whale phishing, where the attackers have some information about their targets and are using it to create customized attacks," he said. "When they know people's e-mail address and name, and have other information, this type of thing is very hard to track and stop. We also see attacks targeting specific companies where the effort is to get inside a network to plant Trojans and get in and steal intellectual property."

The expert warned that such targeted spear-phishing attacks are taking root all over both the private and government segments. The model of blending malware with targeted attacks is also growing in prevalence, Jevans said.

In another technical turn, phishers are employing more attacks that seek to use some level of phone interaction, either through VoIP-oriented "vishing" or with e-mail messages aimed at tricking people into calling live phone operators who are being paid to talk them out of their data.

At its base, the problem with phishing is that it has become a truly complex set of social engineering techniques, some of which may always be hard to defeat when the attackers have profiled their victims and know how to approach them artfully, according to the APWG leader.

One solution may the broader use of two-factor authentication for e-mail, Jevans said.

"I think things have to go two-factor in some scenarios; if you simply rely on people to look out for the attacks and keep things safe, I think that might be unrealistic," he said. "And even if phishers can steal a password, they still don't have the token."

E-mail signing, long tabbed as a potential salve for spam and phishing, continues to evolve and should help as it becomes more broadly adopted, but that technological means won't solve the problem altogether, said the expert.

"People can still create ways around it, we really need to combine authentication and reputation," said Jevans. "We need for the system to understand how long a site has been up, or does it exhibit malicious characteristics, as well."

Additional laws aimed at stopping phishers likely won't help much either, he said, as the ability to enforce any measures, especially overseas, will likely always prove difficult.

Overall, Jevans said that while APWG and its allies will continue their work and look for new ways to address the phishing epidemic, the outlook does appear fairly bleak, at least in the short-term.

"We thought there would be simple answers several years ago when we started, but people actually have fewer ideas about what to do now as things have progressed," Jevans said. "It's a big problem and getting more sophisticated all the time; industry will really have to work together far more to move toward solving the issue."

Posted by Matt Hines on March 6, 2008 10:56 AM

RATE THIS ARTICLE: