Keeping Up with the Phishers

By David F. Carr Print this article Print

As network attacks become more sophisticated, companies must constantly sharpen their security strategies to compensate.

The message addressed to Hudson Valley Federal Credit Union executives read, "I was recently logging into my account to view my account details when I realized the site I was visiting was a well-done duplicate of your Web site. I am unsure if this Web site is affiliated with your institution, but here is the link for you to check it out."

The e-mail arrived just after 7 p.m. on Jan. 3, a day when Microsoft had posted an updated security bulletin on a worrisome flaw in the viewer for Windows Meta File graphics, for which it had not yet released a patch. A click on the link in that e-mail would take users to a bogus Web site designed to use the wmf's vulnerability to download malicious code onto the user's computer.

It was exactly the sort of attack the credit union's security manager, John Brozycki, had been fearing as a follow-up to a similar attack targeting credit unions that was reported in December. It was a "zero day" attack that exploited a security hole for which no software patch was yet available, as well as a "spear phishing" attempt aimed at specific executives with a semi-credible business-related message, rather than one of the more obvious "please update your PayPal account"-type messages aimed at consumers.

Some of the credit union's executives did click on the link, Brozycki says—even though he had warned them of this sort of danger after the December incident, in which some of the bank's directors had been tricked into visiting the Web site of a fictional credit union. That Dec. 12 attack also tried to exploit an unpatched vulnerability in Microsoft Internet Explorer's script execution.

In both cases, fortunately, the Symantec Norton AntiVirus software on the executives' desktops managed to block the malicious software. Even though no specific antivirus signature for the attack was yet available, the Symantec software was able to spot suspicious patterns in the code, according to Brozycki.

"The second one they clicked on, knowing that it was suspicious but thinking, hey, I'm going to get some info about this—I think they were trying to help," Brozycki says. He adds that if the attackers had not been hurrying to act before Microsoft released a patch for the wmf flaw, they might have tested their code against current antivirus products and found ways to sneak past them.

Those executives were lucky—but chief information and security officers can't always count on luck. They need to make sure they have strong software defenses and that their users are educated on computer security protocols.

The problem isn't going away. Last month, the Federal Bureau of Investigation released a security survey that found more than 90% of 2,000 public and private organizations polled said they had installed firewalls and antivirus software. Still, 87% of those had experienced a security incident in 2005. And 84% said they had been hit in the past 12 months by a virus or worm.

Many of the attacks have as much to do with social engineering as with software engineering. Traditionally, "social engineering" was the non-technological part of hacking: An attacker would make a phone call and con some employee into giving out passwords or other information that could be exploited to gain access. But more automated attacks that spread by

E-mail also seek to manipulate users, often with crude appeals to greed, lust or fear.

Promises of sex remain popular, as with an e-mail worm in January that carried subject lines like "Fwd: Crazy Illegal Sex" or "*Hot Movie*." The following week, a group of security researchers warned that an e-mail promising Kama Sutra photographs was spreading a worm designed to delete every document it could access in popular file formats such as Microsoft Word and Excel.

You might hope that none of your employees would fall for such prurient appeals. But someone who knows better than to open an attachment on a spammy-looking e-mail might be duped by a more targeted attack—for example, with an e-mail that appears to come from a regulatory body in his firm's industry.

Next page: Try These Strategies

This article was originally published on 2006-02-06
David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.