asdfasf asd fasdf

IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing Solution Guide

Version 2.0

August 2014

Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | ii Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before the products described become available.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

Copyright License

This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. 2004, 2014. All rights reserved.

If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | iii Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("Software Offerings") may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings.

For more information about the use of various technologies, including cookies, for these purposes, see the "IBM Software Products and Software-as-a-Service Privacy Statement" at http://www.ibm.com/software/info/product-privacy.

IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | iv Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.

Contents

Notices ii

Copyright License iii

Trademarks iii

Privacy Policy Considerations iv

1. Front Matter 1

About this Publication 1

Support Information 1

Accessibility 1

Statement of Good Security Practices 2

2. The Phishing Phenomena 3

Phishing, It’s Easy and It Works 5

The Importance of Immediate Detection and Prevention 6

Winning the Phishing War 7

3. IBM’s Anti-Phishing Solutions 8

IBM Security Trusteer Pinpoint Criminal Detection 8

IBM Security Trusteer Rapport 8

Immediate Phishing Detection and Counter Measures 9

Credential Loss Prevention 12

4. Summary 16

IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | v Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.

1. Front Matter

About this Publication

Phishing attacks have been used for so long that it may seem strange that end users

still fall for them. It should be simple; end users should know that their Financial

Institution (FI) never sends emails asking them to divulge personal information;

however, phishing attacks still work. They are very easy to construct and leave

fraudsters with a nice profit, while FIs are left to cover the costs. IBM brings a fresh

approach to the problem, helping FIs win the phishing war with its advanced anti-

phishing solutions.

Support Information

For support information, refer to our Support website:

http://www.trusteer.com/support

Accessibility

Accessibility features help users with a disability, such as restricted mobility or limited

vision, to use software products successfully. With this product, you can use assistive

technologies to hear and navigate the interface.

IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 1 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.

http://www.trusteer.com/support

Statement of Good Security Practices

IT system security involves protecting systems and information through prevention,

detection and response to improper access from within and outside your organization.

Improper access can result in information being altered, destroyed, misappropriated

or misused or can result in damage to or misuse of your systems, including for use in

attacks on others. No IT system or product should be considered completely secure

and no single product, service or security measure can be completely effective in

preventing improper use or access. IBM® systems, products and services are designed

to be part of a comprehensive security approach, which will necessarily involve

additional operational procedures, and may require other systems, products or

services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS,

PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ORGANIZATION

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.


2. The Phishing Phenomena

Phishing is a criminal identity theft activity that is committed online by mimicking a

legitimate institute’s website. Phishing sites ask naive end users to divulge sensitive

personal information by pretending to be their bank, IT administrator, healthcare

agency or any other legitimate institute that may require personal information. Most

phishing campaigns start with a spoofed email that takes the end user to the

fraudulent website or installs a phishing application on their machine. By using

sophisticated social engineering techniques, fraudsters are able to convince some end

users that this is indeed a legitimate request and are able to steal the end user’s

credentials and identity.

Fraudsters then use these credentials to log into the victim’s online banking account

and transfer money out of the account, or use the victim’s payment card to buy goods.


Some examples of phishing sites are shown in the following figures.

Figure 1: Example of a Phishing Site


Figure 2: Another Example of a Phishing Site

Phishing, It’s Easy and It Works

Since the first documented phishing campaign in 2003, phishing has continued to be

a growing problem. This is despite continued customer education plans carried out by

banks worldwide and various takedown services that sprung to life in an attempt to

control the problem.

According to APWG’s Global Phishing Report for 1H 2013, there were over 70,000

unique phishing attacks worldwide during this period. Overall, there have not been

fewer than 200,000 unique phishing attacks per year in the past 3 years.

After 11 years and various anti-phishing solutions the question arises: Why is phishing

still such a widespread phenomenon?


http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf

The answer is simple: phishing is easy and it works. Research shows more than $0.5

billion is lost each year due to phishing attacks worldwide. With phishing kits available

online at near zero cost, phishing attacks are easy to build, do not require any prior

knowhow or ongoing maintenance and produce a nice profit.

Figure 3: Phishing attack trends 2010-2013 from APWG’s 1H 2013 Global Phishing Survey

The Importance of Immediate Detection and Prevention

Extensive research was conducted by Trusteer on credential loss to phishing attacks

to determine the evolution and impact of phishing attacks. This research shows that

the first few hours of an attack are the most critical ones. The analysis shows evidence

that 70% of credential theft from phishing attacks occurs during the first 3 hours after

the phishing site goes live.

According to APWG’s Global Phishing Survey for 2H 2012, existing solutions such as

takedown services, require an average of 26 hours to shut down a phishing site. This

means that before most anti-phishing vendors are able to take any measures against

a phishing site, the vast majority of end users’ personal information has already been


stolen. Therefore, in order for phishing attack mitigation to have a substantial effect, it

must reach compromised end users very quickly.

Figure 4: Credential Loss to Phishing Attacks

Winning the Phishing War

It is now evident that phishing attacks must be countered as soon as possible after the

attack launch time, otherwise the vast majority of credentials will have already been

stolen and the battle is lost.

Fighting phishing attacks requires an all-in-one anti-fraud solution that first and

foremost protects end users against credential theft.

Financial Institutions (FIs) that want to be proactive in protecting the end user’s

personal information should consider deploying a solution that is able to detect

phishing attacks instantaneously and take immediate action. The action taken after

detection can vary based on the FIs security and business considerations.


3. IBM’s Anti-Phishing Solutions

IBM Security Trusteer Pinpoint Criminal Detection

IBM Security Trusteer Pinpoint Criminal Detection ("PPCD") protects online banking

sites against account takeover and fraudulent transactions. When a user accesses the

online banking site, device and session attributes are remotely collected from the

user’s endpoint as well as the associated account ID. Collected information is used to

generate a complex device fingerprint, profile user behavior, tag fraudster devices,

detect device spoofing, and identify access with compromised credentials. PPCD

correlates this data in real-time with other data sources such as real-time malware

infection and phishing incidents, as well as information from IBM endpoint clients and

feedback from the banks, to conclusively identify criminal account access.

IBM Security Trusteer Rapport

IBM Security Trusteer Rapport ("Rapport") is a customer proven anti-fraud solution

based on a winning combination of advanced security software and a cloud-based

analysis and reporting service. Rapport protects personally identifiable information

(such as online account credentials) from theft by malware and via phishing attacks,

as well as prevents infection and execution of financial malware.

Rapport offers a multi-tiered anti phishing approach, which proactively protects the

end user from exposing sensitive information and even from navigating to a phishing

site.

Together, PPCD and Rapport construct a robust anti-phishing solution that is able to

detect phishing attacks of various types and prevent credential loss.


Immediate Phishing Detection and Counter Measures

IBM Security Trusteer Pinpoint Carbon Copy

When criminals create phishing sites, they usually copy the page content from the

authentic web application and use it to create a replica of the original site. PPCD

contains a set of code snippets that are embedded into the FI’s web application that

will enter the phishing ecosystem when the page content is copied from the authentic

web application. When this code is executed within a phishing site, all phishing

attempts are reported to the IBM servers and from there directly to the FI. This ensures

that FIs are aware of phishing attacks during the phishing site creation process, even

before these are executed and reach end users.

IBM Security Trusteer Rapport Phishing Protection

IBM Security Trusteer Rapport Phishing Protection ("Phishing Protection") is a

phishing detection add-on to Rapport which detects phishing sites immediately as the

end user accesses them and reports the phishing URLs back to the FI.

Once installed on a machine, Rapport monitors all the websites accessed by the end

user and identifies phishing websites that target IBM partners. This process happens

as soon as a website is loaded in the browser and is transparent to the end user. If

Rapport deems a site as phishing, the URL is sent to IBM security analysts for further

analysis and confirmation, which occurs within minutes.

The confirmed phishing URLs are recorded by Rapport and are reported to the FIs via

two separate channels:

IBM Security Trusteer Rapport Fraud Feeds

IBM Security Trusteer Rapport Fraud Feeds are near real-time alerts about

immediate threats that require the organization’s attention. They enable the

organization to take proactive action towards mitigating attacks against their

customers and preventing future attacks on additional customers. The feeds

are sent either by email, typically used for manual processing of alerts, or via


secure delivery of flat files on a periodic basis which is suitable for automatic

processing.

Trusteer Management Application

The Trusteer Management Application (TMA) is a management and reporting

tool for Rapport and other IBM services. Using the TMA, FIs can get insight into

malware and phishing industry fraud trends.

FIs using Phishing Protection gain access to the Phishing Protection module of

the TMA where they can view all phishing attacks recorded by IBM, as well as

additional information, such as the number of Rapport users who were

exposed to the attack.

Figure 5: Rapport phishing site detection and reporting process

This process ensures that FIs working with Rapport are informed of new phishing

attacks from the very first user that encounters the attack and provides the flexibility

to determine the appropriate counter measures, based on the FIs business and

security considerations.


Stealth Phishing Protection

Rapport can be integrated with the Security API. This API allows for silently alerting

the FI’s backend system when an end user is phished. Using this solution, Rapport

detects phishing attacks in real-time, as detailed above, and silently reports the attack

to IBM, via the Security API. This valuable information is then stored in the IBM servers

and can be used to determine the risk level of subsequent logins. The FI can query IBM,

using the Security API, to determine if a certain transaction is risky based on the

information reported by Rapport.

In order to prevent fraudsters from realizing the attack was discovered, it is

recommended that FIs allow the fraudster to complete the transaction without really

transferring any funds. This way the fraudster is not aware of the attack discovery and

the account is still protected. FIs can then contact the affected end user to re-credential

the online banking user ID and password.

Figure 6: Step 1 - An end user’s credentials are phished, Rapport alerts the cloud, and FIs can than query the risk level of transactions


Figure 7: Step 2 - Fraudster uses the phished credentials; the bank “allows” the transaction and engages the end user

Stealth Phishing Protection is unparalleled in the anti-phishing industry and makes use

of IBM’s unique phishing detection and credential protection capabilities, allowing

fraud to be discovered as it happens without giving away detection secrets to the

fraudster.

Note: Phishing Protection and Stealth Phishing Protection are add-ons and require separate licensing. For further details please contact your Rapport representative.

Credential Loss Prevention

Rapport is designed not only to detect suspicious sites and alert the FI, but is also

prevent the credential loss to such sites. Rapport has a suite of anti-phishing counter

measures, which allow FIs to choose the approach that best fit their needs. IBM is

guided by the notion that whatever protective approach FIs take, Rapport will execute

it in real time, thus ensuring the FI and its customers stay protected.


User ID/Password Learning

Rapport can proactively protect end users’ online banking credentials. Once installed

on the machine, Rapport waits for the end user to log into the FI’s legitimate website

and asks the end user whether Rapport should protect these credentials in other sites.

Rapport warns the end use if those credentials are used on other websites.

Figure 8: Rapport offers to protect sensitive information

The learning process for the User ID and/or password does not involve sending them

to IBM, but only stores a one-way hashed version locally. Thereafter, every time the

user enters these credentials elsewhere Rapport will prompt with a warning message.

Figure 9: A user submits credentials in a fake site and Rapport warns immediately

Note: Rapport can be configured to protect the online banking credentials silently, without prompting the end user, to avoid tipping off fraudsters.


Risky Site Submission

Rapport can also warn a user without previously learning any credentials. When a user

navigates to a site that asks for sensitive information (e.g. contains a password field)

and the site is deemed risky, Rapport warns users not to divulge any information to

this site. In addition, Rapport can navigate the user away from this site immediately.

Figure 10: Risky Site Submission warning message

A Tiered Approach

The two identity protection mechanisms described above can operate in parallel. This

delivers a robust identity protection solution that proactively prevents exposure of the

FIs credentials to unauthorized 3rd parties.


Rapport Blacklisting

Once a site is confirmed as a phishing site, Rapport has the ability to blacklist phishing

URLs and warn end users from navigating to such sites.

Figure 11: Rapport Blacklisting

Rapport also reports back to the bank, using feeds, users who despite being warned

navigated to the phishing site. The FI can then contact these users to report their

credentials being phished. This option also serves as an educational tool to help

increase end user awareness to phishing attacks.

Another option available to FIs is to silently navigate end users away from phishing

sites. Upon blacklisting a certain site, Rapport can be configured to simply navigate

users away from the blocked URL to the FI’s legitimate website without alerting the

end user. This option makes sure users are not exposed to phishing sites at all.


4. Summary

Phishing can be fought successfully as long as the right means are employed.

Traditional methods such as shut down services and end user education have helped

increase industry and customer awareness to the problem but have failed to stop it or

protect end user credential theft.

IBM leverages its presence on endpoint devices to tackle the problem as it happens on

the end user’s machine and prevent credential theft in real time. IBM offers a suite of

solutions, bringing together a simple principle of early detection and a variety of

counter measures so that every FI can chose just the right approach according to its

needs.

Anti-fraud specialists who are concerned with the costs of phishing have a solution

that is effective against today’s attacks and dynamically adapts to threats.


Documents

asdfasf asd fasdf