Upload
royroyroy1
View
246
Download
1
Tags:
Embed Size (px)
DESCRIPTION
adsf dfadfadfaf
Citation preview
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing Solution Guide
Version 2.0
August 2014
Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | ii Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to change before the products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
Copyright License
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. 2004, 2014. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | iii Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Privacy Policy Considerations
IBM Software products, including software as a service solutions, ("Software Offerings") may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings.
For more information about the use of various technologies, including cookies, for these purposes, see the "IBM Software Products and Software-as-a-Service Privacy Statement" at http://www.ibm.com/software/info/product-privacy.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | iv Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Contents
Notices ii
Copyright License iii
Trademarks iii
Privacy Policy Considerations iv
1. Front Matter 1
About this Publication 1
Support Information 1
Accessibility 1
Statement of Good Security Practices 2
2. The Phishing Phenomena 3
Phishing, It’s Easy and It Works 5
The Importance of Immediate Detection and Prevention 6
Winning the Phishing War 7
3. IBM’s Anti-Phishing Solutions 8
IBM Security Trusteer Pinpoint Criminal Detection 8
IBM Security Trusteer Rapport 8
Immediate Phishing Detection and Counter Measures 9
Credential Loss Prevention 12
4. Summary 16
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | v Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
1. Front Matter
About this Publication
Phishing attacks have been used for so long that it may seem strange that end users
still fall for them. It should be simple; end users should know that their Financial
Institution (FI) never sends emails asking them to divulge personal information;
however, phishing attacks still work. They are very easy to construct and leave
fraudsters with a nice profit, while FIs are left to cover the costs. IBM brings a fresh
approach to the problem, helping FIs win the phishing war with its advanced anti-
phishing solutions.
Support Information
For support information, refer to our Support website:
http://www.trusteer.com/support
Accessibility
Accessibility features help users with a disability, such as restricted mobility or limited
vision, to use software products successfully. With this product, you can use assistive
technologies to hear and navigate the interface.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 1 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Statement of Good Security Practices
IT system security involves protecting systems and information through prevention,
detection and response to improper access from within and outside your organization.
Improper access can result in information being altered, destroyed, misappropriated
or misused or can result in damage to or misuse of your systems, including for use in
attacks on others. No IT system or product should be considered completely secure
and no single product, service or security measure can be completely effective in
preventing improper use or access. IBM® systems, products and services are designed
to be part of a comprehensive security approach, which will necessarily involve
additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS,
PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ORGANIZATION
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 2 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
2. The Phishing Phenomena
Phishing is a criminal identity theft activity that is committed online by mimicking a
legitimate institute’s website. Phishing sites ask naive end users to divulge sensitive
personal information by pretending to be their bank, IT administrator, healthcare
agency or any other legitimate institute that may require personal information. Most
phishing campaigns start with a spoofed email that takes the end user to the
fraudulent website or installs a phishing application on their machine. By using
sophisticated social engineering techniques, fraudsters are able to convince some end
users that this is indeed a legitimate request and are able to steal the end user’s
credentials and identity.
Fraudsters then use these credentials to log into the victim’s online banking account
and transfer money out of the account, or use the victim’s payment card to buy goods.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 3 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Some examples of phishing sites are shown in the following figures.
Figure 1: Example of a Phishing Site
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 4 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Figure 2: Another Example of a Phishing Site
Phishing, It’s Easy and It Works
Since the first documented phishing campaign in 2003, phishing has continued to be
a growing problem. This is despite continued customer education plans carried out by
banks worldwide and various takedown services that sprung to life in an attempt to
control the problem.
According to APWG’s Global Phishing Report for 1H 2013, there were over 70,000
unique phishing attacks worldwide during this period. Overall, there have not been
fewer than 200,000 unique phishing attacks per year in the past 3 years.
After 11 years and various anti-phishing solutions the question arises: Why is phishing
still such a widespread phenomenon?
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 5 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
The answer is simple: phishing is easy and it works. Research shows more than $0.5
billion is lost each year due to phishing attacks worldwide. With phishing kits available
online at near zero cost, phishing attacks are easy to build, do not require any prior
knowhow or ongoing maintenance and produce a nice profit.
Figure 3: Phishing attack trends 2010-2013 from APWG’s 1H 2013 Global Phishing Survey
The Importance of Immediate Detection and Prevention
Extensive research was conducted by Trusteer on credential loss to phishing attacks
to determine the evolution and impact of phishing attacks. This research shows that
the first few hours of an attack are the most critical ones. The analysis shows evidence
that 70% of credential theft from phishing attacks occurs during the first 3 hours after
the phishing site goes live.
According to APWG’s Global Phishing Survey for 2H 2012, existing solutions such as
takedown services, require an average of 26 hours to shut down a phishing site. This
means that before most anti-phishing vendors are able to take any measures against
a phishing site, the vast majority of end users’ personal information has already been
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 6 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
stolen. Therefore, in order for phishing attack mitigation to have a substantial effect, it
must reach compromised end users very quickly.
Figure 4: Credential Loss to Phishing Attacks
Winning the Phishing War
It is now evident that phishing attacks must be countered as soon as possible after the
attack launch time, otherwise the vast majority of credentials will have already been
stolen and the battle is lost.
Fighting phishing attacks requires an all-in-one anti-fraud solution that first and
foremost protects end users against credential theft.
Financial Institutions (FIs) that want to be proactive in protecting the end user’s
personal information should consider deploying a solution that is able to detect
phishing attacks instantaneously and take immediate action. The action taken after
detection can vary based on the FIs security and business considerations.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 7 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
3. IBM’s Anti-Phishing Solutions
IBM Security Trusteer Pinpoint Criminal Detection
IBM Security Trusteer Pinpoint Criminal Detection ("PPCD") protects online banking
sites against account takeover and fraudulent transactions. When a user accesses the
online banking site, device and session attributes are remotely collected from the
user’s endpoint as well as the associated account ID. Collected information is used to
generate a complex device fingerprint, profile user behavior, tag fraudster devices,
detect device spoofing, and identify access with compromised credentials. PPCD
correlates this data in real-time with other data sources such as real-time malware
infection and phishing incidents, as well as information from IBM endpoint clients and
feedback from the banks, to conclusively identify criminal account access.
IBM Security Trusteer Rapport
IBM Security Trusteer Rapport ("Rapport") is a customer proven anti-fraud solution
based on a winning combination of advanced security software and a cloud-based
analysis and reporting service. Rapport protects personally identifiable information
(such as online account credentials) from theft by malware and via phishing attacks,
as well as prevents infection and execution of financial malware.
Rapport offers a multi-tiered anti phishing approach, which proactively protects the
end user from exposing sensitive information and even from navigating to a phishing
site.
Together, PPCD and Rapport construct a robust anti-phishing solution that is able to
detect phishing attacks of various types and prevent credential loss.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 8 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Immediate Phishing Detection and Counter Measures
IBM Security Trusteer Pinpoint Carbon Copy
When criminals create phishing sites, they usually copy the page content from the
authentic web application and use it to create a replica of the original site. PPCD
contains a set of code snippets that are embedded into the FI’s web application that
will enter the phishing ecosystem when the page content is copied from the authentic
web application. When this code is executed within a phishing site, all phishing
attempts are reported to the IBM servers and from there directly to the FI. This ensures
that FIs are aware of phishing attacks during the phishing site creation process, even
before these are executed and reach end users.
IBM Security Trusteer Rapport Phishing Protection
IBM Security Trusteer Rapport Phishing Protection ("Phishing Protection") is a
phishing detection add-on to Rapport which detects phishing sites immediately as the
end user accesses them and reports the phishing URLs back to the FI.
Once installed on a machine, Rapport monitors all the websites accessed by the end
user and identifies phishing websites that target IBM partners. This process happens
as soon as a website is loaded in the browser and is transparent to the end user. If
Rapport deems a site as phishing, the URL is sent to IBM security analysts for further
analysis and confirmation, which occurs within minutes.
The confirmed phishing URLs are recorded by Rapport and are reported to the FIs via
two separate channels:
IBM Security Trusteer Rapport Fraud Feeds
IBM Security Trusteer Rapport Fraud Feeds are near real-time alerts about
immediate threats that require the organization’s attention. They enable the
organization to take proactive action towards mitigating attacks against their
customers and preventing future attacks on additional customers. The feeds
are sent either by email, typically used for manual processing of alerts, or via
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 9 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
secure delivery of flat files on a periodic basis which is suitable for automatic
processing.
Trusteer Management Application
The Trusteer Management Application (TMA) is a management and reporting
tool for Rapport and other IBM services. Using the TMA, FIs can get insight into
malware and phishing industry fraud trends.
FIs using Phishing Protection gain access to the Phishing Protection module of
the TMA where they can view all phishing attacks recorded by IBM, as well as
additional information, such as the number of Rapport users who were
exposed to the attack.
Figure 5: Rapport phishing site detection and reporting process
This process ensures that FIs working with Rapport are informed of new phishing
attacks from the very first user that encounters the attack and provides the flexibility
to determine the appropriate counter measures, based on the FIs business and
security considerations.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 10 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Stealth Phishing Protection
Rapport can be integrated with the Security API. This API allows for silently alerting
the FI’s backend system when an end user is phished. Using this solution, Rapport
detects phishing attacks in real-time, as detailed above, and silently reports the attack
to IBM, via the Security API. This valuable information is then stored in the IBM servers
and can be used to determine the risk level of subsequent logins. The FI can query IBM,
using the Security API, to determine if a certain transaction is risky based on the
information reported by Rapport.
In order to prevent fraudsters from realizing the attack was discovered, it is
recommended that FIs allow the fraudster to complete the transaction without really
transferring any funds. This way the fraudster is not aware of the attack discovery and
the account is still protected. FIs can then contact the affected end user to re-credential
the online banking user ID and password.
Figure 6: Step 1 - An end user’s credentials are phished, Rapport alerts the cloud, and FIs can than query the risk level of transactions
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 11 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Figure 7: Step 2 - Fraudster uses the phished credentials; the bank “allows” the transaction and engages the end user
Stealth Phishing Protection is unparalleled in the anti-phishing industry and makes use
of IBM’s unique phishing detection and credential protection capabilities, allowing
fraud to be discovered as it happens without giving away detection secrets to the
fraudster.
Note: Phishing Protection and Stealth Phishing Protection are add-ons and require separate licensing. For further details please contact your Rapport representative.
Credential Loss Prevention
Rapport is designed not only to detect suspicious sites and alert the FI, but is also
prevent the credential loss to such sites. Rapport has a suite of anti-phishing counter
measures, which allow FIs to choose the approach that best fit their needs. IBM is
guided by the notion that whatever protective approach FIs take, Rapport will execute
it in real time, thus ensuring the FI and its customers stay protected.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 12 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
User ID/Password Learning
Rapport can proactively protect end users’ online banking credentials. Once installed
on the machine, Rapport waits for the end user to log into the FI’s legitimate website
and asks the end user whether Rapport should protect these credentials in other sites.
Rapport warns the end use if those credentials are used on other websites.
Figure 8: Rapport offers to protect sensitive information
The learning process for the User ID and/or password does not involve sending them
to IBM, but only stores a one-way hashed version locally. Thereafter, every time the
user enters these credentials elsewhere Rapport will prompt with a warning message.
Figure 9: A user submits credentials in a fake site and Rapport warns immediately
Note: Rapport can be configured to protect the online banking credentials silently, without prompting the end user, to avoid tipping off fraudsters.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 13 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Risky Site Submission
Rapport can also warn a user without previously learning any credentials. When a user
navigates to a site that asks for sensitive information (e.g. contains a password field)
and the site is deemed risky, Rapport warns users not to divulge any information to
this site. In addition, Rapport can navigate the user away from this site immediately.
Figure 10: Risky Site Submission warning message
A Tiered Approach
The two identity protection mechanisms described above can operate in parallel. This
delivers a robust identity protection solution that proactively prevents exposure of the
FIs credentials to unauthorized 3rd parties.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 14 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
Rapport Blacklisting
Once a site is confirmed as a phishing site, Rapport has the ability to blacklist phishing
URLs and warn end users from navigating to such sites.
Figure 11: Rapport Blacklisting
Rapport also reports back to the bank, using feeds, users who despite being warned
navigated to the phishing site. The FI can then contact these users to report their
credentials being phished. This option also serves as an educational tool to help
increase end user awareness to phishing attacks.
Another option available to FIs is to silently navigate end users away from phishing
sites. Upon blacklisting a certain site, Rapport can be configured to simply navigate
users away from the blocked URL to the FI’s legitimate website without alerting the
end user. This option makes sure users are not exposed to phishing sites at all.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 15 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.
4. Summary
Phishing can be fought successfully as long as the right means are employed.
Traditional methods such as shut down services and end user education have helped
increase industry and customer awareness to the problem but have failed to stop it or
protect end user credential theft.
IBM leverages its presence on endpoint devices to tackle the problem as it happens on
the end user’s machine and prevent credential theft in real time. IBM offers a suite of
solutions, bringing together a simple principle of early detection and a variety of
counter measures so that every FI can chose just the right approach according to its
needs.
Anti-fraud specialists who are concerned with the costs of phishing have a solution
that is effective against today’s attacks and dynamically adapts to threats.
IBM Security Trusteer Anti-Phishing Solutions: Effective Ways to Combat Phishing | 16 Solution Guide Version 2.0 Copyright 2013, 2014 IBM Corp.