Embed Size (px)
Citation preview
Customer Involvement in Phishing Defence
Jordan Schroeder, CEH
June 21, 2011
Abstract
Phishing is a major source of e-commerce insecurity, and human behaviour is a larger factor in preventing
security breaches than technology is. Phishing can defeat highly secure technologies by using unsophisti-
cated technology with highly sophisticated psychological techniques. From the e-commerce vendor or service
provider’s perspective, the solution is to employ the latest secure technology in conjunction with educating
and training their customers and users on how to protect themselves.
Introduction
Phishing is the greatest threat that online bank-
ing currently faces. One hundred years ago, outlaws
would break into bank vaults to steal cash, but in the
Web 2.0 era, ‘Information Highwaymen’ break into
individual customer accounts as they go about their
day-to-day business. Just as bankers of old would in-
stall better safes, current bankers seek to solve this
threat to their customer’s accounts and to their own
reputation by implementing new technology. This ap-
proach is important and necessary, but the banking
industry needs to be aware that it is only a founda-
tional step that alone will not provide the security
they seek.
Attacks are carried out using technology, but
phishing is completed by the victims themselves.
Unlike hacking attacks that can steal without the
need for an authorized party to be actively involved,
what makes phishing so effective is that the victim
is the crucial element used to bypass security. In
other words, traditional attacks require overwhelm-
ing force, but phishing is a con game. Sufficiently ad-
vanced technology can block traditional brute-force
attacks, but to stop phishing effectively requires that
the potential victims play an active role in the defen-
sive process, which requires two elements: education
and behavioural modification. This paper will look
at how an e-commerce organization can instil knowl-
edge and skills in its customers in order to protect
both parties.
Phishing as an Attractive Crim-
inal Enterprise
There are a number of statistics that show how at-
tractive phishing is to criminal organizations:
• The number of phishing emails an average indi-
vidual receives has increased from one or two a
week to more than 70 every day (1)
• More than 420,000 scam emails are sent every
hour in the United Kingdom (2)
• 55 percent of phishing scams are fake bank
emails (2)
1
Customer Involvement in Phishing Defence Jordan Schroeder
• A quarter of British citizens admitted to falling
for phishing emails, losing on average £285 (2)
• Online banking fraud has surged by 132% during
the last year (2)
• Phishing web sites created by automated tool
kits doubled with an increase of 123% from May
2010 to August 2010 (2)
• One criminal automatic phishing kit was down-
loaded over 200,000 times, according to its cre-
ator (3)
In the words of Tracy Kitten of Bank Info Security,
”clearly, cybercriminals see value in phishing” (1).
What makes phishing an attractive criminal
medium? Phishing is easy, free, bypasses firewalls,
bypasses spam filters, bypasses anti-phishing filters,
and can result in very lucrative payouts (4–9). No mat-
ter how sophisticated the technological defences are,
phishing takes advantage of the access that an au-
thorized person has, either by getting the user to
disclose their username and password or by piggy-
backing on a connection to a secure website. Once an
attacker has this access, funds are often transferred
to bank accounts in countries that have poor banking
fraud laws (10), which further limits the risk of the act.
To make things worse, phishing techniques are evolv-
ing quickly (1,2,10,11). Phishing is so effective that it
is used for a variety of purposes and is the primary
method used by hackers to gain access to secure net-
works, instead of using the traditional sophisticated
hacking of firewalls and servers (12). This means that
devising a defence against this devastating, continu-
ous, and persistent threat is an imperative.
There are two basic approaches to phishing; drag-
net, and spear fishing. Dragnet phishing sends emails
to great numbers of people, hoping to get a few to
fall for the trap (11,12). Spear phishing seeks to gain
the confidence of a few potential victims, or even
just one (1). By focusing on a select few potential vic-
tims, the attacker can craft emails in such a way as
to increase their legitimate appearance to the recipi-
ent, and thereby increase the chances that the attack
will succeed. With the amount of information avail-
able online from corporate websites and social net-
works, it is a simple thing to craft a personal-sounding
email (12–14). No matter the intended target, phishing
has proven to be simple and easy to execute, and
shockingly effective for their purpose.
Technological Defence
The response to phishing threats has been to de-
velop increasingly sophisticated technology, but the
widespread approach, so far, has only been to ad-
dress the individual symptoms of an attack. Effec-
tive phishing websites have URLs that are close in
appearance to legitimate bank URLs and are kept
online for as long as possible, while supporting mul-
tiple phishing campaigns. The defensive response is
to maintain lists of these malicious URLs and block
access to them. Phishers respond by generating dis-
posable websites that can be replaced as soon as the
existing site is blocked or taken down by the author-
ities. As a result of this approach, phishers have dis-
covered that a website does not need to exist for a
long period of time because 90% of people who re-
spond to a phishing email do so within ten hours of
receiving the email (15). Defenders develop algorithms
to inspect URLs to determine if it was designed to
mimic legitimate URLs, but this approach does not
work if the URL is not intended to mimic a legitimate
one, and even less effective if a legitimate web server
has been hacked to be used as a host of the phishing
site (14).
One of the easier ways to defend against phishing
is to look at the content of emails and block those
that use commonly used phishing phrases, but at-
tackers circumvent this approach by using sparsely
worded emails with the phishing message in a file as
2 of 8
Customer Involvement in Phishing Defence Jordan Schroeder
an attachment (7). The standard response to this ap-
proach is to block all or certain attachment types,
but as long as attachments of any type are allowed,
which is true for most organizations, the threat re-
mains. Along the same line of thinking, spam filters
analyze the metadata of an email to determine the
likelihood that the email is or is not spam, based on
common spam characteristics. This approach is effec-
tive in blocking the dragnet method of phishing, but
not if the email comes from a previously approved
source that has been hacked, or if the email is tar-
geted, as is the case in spear phishing (8).
Kaspersky Lab, a leader in digital security prod-
ucts, applied for a patent in June 2011 for a new
defensive approach. Kaspersky Lab seeks to create a
tunnel of trusted identity between the bank’s physi-
cal web servers and the customer’s physical computer,
where both ends are verified to be the legitimate en-
tity (16). This will have an effect on phishing methods
that rely on illegitimate URLs and look-a-like web-
sites, but it will only work if the customer uses this
verified tunnel to engage in banking activities. Many
banking customers (52% in one survey) engage in per-
sonal banking activities at work and other public ar-
eas, which circumvents such dedicated tunnels (1).
Another defensive approach is to use ‘two-factor’
authentication, which is gaining in popularity. This
approach requires that a user have two forms of au-
thentication, one of which is physical, before being
allowed to access the bank’s website. This is a very
powerful approach to preventing attackers’ access to
accounts, because although the attacker my acquire
the login credentials, they will not be able to log in
without the second physical authentication device.
In response to this method, phishers have developed
malware, like Zeus and SpyEye, that prevents a user
from logging off of the bank’s website, and passes
the customer’s web session to the attacker who then
transfers funds from the customers’ accounts (17). Ex-
cept for the unusual activity, there is no technological
defence that a bank can develop to prevent this type
of attack (10).
Human Behaviour
Phishing is popular with attackers because it is easy
to perform, effective, and the technological methods
to achieve success are simple. But these benefits hinge
on the effectiveness of tricking people to do something
they might not otherwise do. To accomplish that,
phishers become manipulators of human behaviour.
One of the common ways to get a user to act is
to instil a sense of urgency. When the Epsilon data
breach occurred in April 2011, phishers took advan-
tage of the worldwide flood of news of the breach and
sent emails to potential victims (emails that they had
stolen) and told them that as a result of the breach,
bank customers were at risk of having their bank ac-
counts broken into. The emails included a fake link to
a login page where the customers could supply their
current credentials. The urgent tone of the email com-
bined with the pre-existing urgency of the news in
general proved to be effective (8). This type of manu-
factured urgency is further compounded by a natural
urgency that web users feel when they read email. A
multi-university study conducted in early 2011 found
that active Internet users were especially susceptible
to phishing because they do not take to time to eval-
uate every communication that they receive (18). This
natural sense of urgency contributes to the statistic
that half of the respondents to phishing emails visit
the illegitimate website within an hour of the emails
being sent (15).
Besides urgency, notification of changes in com-
pany benefits (11), fear, trust, desire, greed, and cu-
riosity (4) can all be used to successfully manipulate
users. One study found that the imposition of respon-
sibility that appears to come from a higher authority
is the biggest human driver, being 28% more effective
than greed, which was thought to be the most suc-
3 of 8
Customer Involvement in Phishing Defence Jordan Schroeder
cessful manipulation technique (19). The authoritative
approach is particularly effective in industries that
are highly regulated or in companies that normally
operate with a strict authoritative hierarchy (14).
Strangely, those who hold authority are the easiest
group of people to phish, even though they should
be immune to impositions of responsibility. Company
executives can feel that security policies should not
apply to them and are quick to complain when they
feel that security policies are too restrictive. IT de-
partment personnel tend to make allowances for such
requests by executives (20). In the same way, CIO’s
tend to be early adopters of new technology and will
bring a new device into the office before it has been
properly tested for security. This opens up unknown
security holes that attackers can exploit by breaking
into the device with a phishing email that contains
code designed to take over certain devices. When the
CIO uses his new device to read the email, attach-
ment, or link, the device becomes compromised and
can be used to send emails using the CIO’s account
or for a staging point for breaking into the secure net-
work (20). This vulnerability shows the importance of
having a security policy and the importance of follow-
ing it, no matter who the member of the organization
is, as well as showing how otherwise effective technol-
ogy can be effortlessly subverted by the very people
it is supposed to protect.
Effective Remedies
Since technology is not effective in and of itself, the
solution to protecting an organization or enterprise is,
in the words of the security consultant Jason Street,
to “patch the human problem” (20). The focus on peo-
ple being the solution to phishing is growing in the
IT Security and Banking industries (13,14,21). There
are two methods to employ: providing information to
empower customers, and instigating a change in cus-
tomers’ behaviour.
The first step to ‘patching the human problem’ is
to provide the basic information necessary to identify
the hallmarks of a phishing email. Banks and other
e-commerce vendors can set up regular newsletters,
informational websites, and social networking venues
to communicate security tips and warnings (22). Even
simple Twitter messages of “Remember: we will never
send you an email with a link to log on to your ac-
count” can be effective in raising the general aware-
ness of the average user, which in mid-2011 is very
low (22). As phishing techniques continue to evolve, a
bank or vendor who already has a following of cus-
tomers who listen to their tips will be able to more
quickly inform their customers of the changing threat
landscape. Another important consideration is to pro-
vide a standard and consistent channel of communi-
cation for recent security events and alerts of active
threats. If consumers have a trusted source of infor-
mation apart from emails, they can start to depend
on it to verify suspicious-looking communications (23).
The second step in devising a more complete so-
lution to phishing is to engage in active education
designed to change the behaviour of the recipient.
Knowing the theory behind phishing will only go so
far unless the user has a chance to put that knowl-
edge into practice in an instructive environment. This
involves the bank or vendor actively trying to phish
its own customers. If customers fall for the bait, they
are directed to a safe landing page that outlines the
error they made and how they could avoid falling
for a similar trap in the future. This process con-
tinues while gradually increasing the complexity of
the phishing types. Phishing one’s own customers and
employees has been shown to be a very successful ap-
proach, with one vendor seeing a reduction in users
falling for the bait by 50-70% (13). PhishMe, a phish-
ing training provider, shows that 58% of participants
fall for the first phishing email in their program, but
that number drops to around 5% by the fourth round
of training emails. These numbers from PhishMe are
4 of 8
Customer Involvement in Phishing Defence Jordan Schroeder
significant, and this type of training is gaining the
attention of government departments like the US De-
partment of Energy (19).
To maintain the effectiveness of ‘ethical phishing’,
training needs to be ongoing. Having the presence of
mind to weigh the impact of random emails requires
the constant vigilance of the user. That level of aware-
ness needs to be supported by constant information
and training opportunities, and that cannot be ac-
complished with a once a year program (19). Just as
security technology and personnel are required to stay
current, so must the recipients of phishing emails.
Conclusion
Phishing is easy to perform, simple in design, highly
effective, and disastrously profitable. By focusing on
tricking a person to take action on behalf of an at-
tacker, no complex technology is required to bypass
the layers of defence erected to protect users. Phish-
ing only works when a user takes action as a result
of receiving a malicious email. Technology can be put
in place to limit the number of phishing emails and
to potentially limit the success of certain types of at-
tacks, but ultimately, it is the user that is the crucial
agent in the attack.
Setting up alternative and consistent channels of
communication for security news, tips, and alerts
can be an effective way to arm customers with rel-
evant information without relying on emails. Testing
their knowledge and instilling the skills to identify
and avoid phishing emails is currently the most ef-
fective method of protecting users, but this solution
requires that testing and training be on-going in order
to maintain effectiveness.
With a combination of up-to-date technology and
continuous training and support, a phisher’s success
can be reduced a significant amount, and indeed,
without the implementation of these elements of pro-
tection, phishing will continue to be a substantial
threat to all banks, e-commerce vendors, and service
providers.
5 of 8
Customer Involvement in Phishing Defence Jordan Schroeder
Appendix
This paper uses the very latest material available at
the time of writing, pulling together the most re-
cent news, reports, analyses, and responses from the
IT Security community, as well as the most recent
techniques discovered and advertised to be in use by
criminal organizations. All available peer-reviewed re-
search and academic studies were too old to be of
use for this paper. As one banking IT Security ex-
pert said, “The cybercriminal of 2011 has long ago
bypassed and surpassed the techniques of 2005” (10).
References
[1] Kitten, Tracy. (18 Jan 2011). “ ‘Spear-
Phishing,’ Risky Behavior and Poor Protections
To Blame”. Bank Info Security.
http://blogs.bankinfosecurity.com/
posts.php?postID=855 (Accessed 21 June
2011)
[2] Skinner, Carrie-ann. (16 Jun 2010). “3.7 billion
phishing emails were sent in the last 12 months”.
Network World.
http://www.networkworld.com/news/2010/
061610-37-billion-phishing-emails-were.
html (Accessed 21 June 2011)
[3] Brewster, Tom. (23 Jul 2010). “Hackers give
birth to phish that never dies”. IT Pro.
http://www.itpro.co.uk/625453/hackers-
give-birth-to-phish-that-never-dies
(Accessed 21 June 2011)
[4] Vasudevan, N. Thanuja, B M. (15 Aug 2010).
“Cyber goons phish beyond financial transac-
tions”. Financial Chronicle.
http://www.mydigitalfc.com/knowledge/
cyber-goons-phish-beyond-financial-
transactions-420 (Accessed 21 June 2011)
[5] Jackson, Jeromie. (17 Dec 2010). “Top 5 Social
Engineering and Penetration Testing Tools”.
Credit Union Information Security Practitioner.
http://itknowledgeexchange.techtarget.
com/security-assessment/top-5-social-
engineering-penetration-testing-tools/
(Accessed 21 June 2011)
[6] Goodchild, Joan. (11 Jan 2010). “Social Engi-
neering: The Basics”. CSO.
http://www.csoonline.com/article/
514063/social-engineering-the-basics
(Accessed 21 June 2011)
[7] Kitten, Tracy. (22 Mar 2011). “Low-Tech Scam
Uses Attachments to Fool Spam Filters”. Bank
6 of 8
Customer Involvement in Phishing Defence Jordan Schroeder
Info Security.
http://www.bankinfosecurity.com/
articles.php?art_id=3455 (Accessed 21
June 2011)
[8] Rashid, Fahmida Y. (7 April 2011). “Chase
Bank Phish Emails May Be First Post-Epsilon
Scam”. eWeek.
http://www.eweek.com/c/a/Security/
Chase-Bank-Phish-Emails-May-Be-First-
PostEpsilon-Scam-851226/ (Accessed 21 June
2011)
[9] Zetter, Kim. (7 June 2011). “Bank Not Re-
sponsible for Letting Hackers Steal $300K From
Customer”. Wired.
http://www.wired.com/threatlevel/2011/
06/bank-ach-theft/ (Accessed 21 June 2011)
[10] Krebs, Brian. (8 June 2011). “Court: Passwords
+ Secret Questions = ‘Reasonable’ eBanking
Security”. KrebsOnSecurity.com.
http://krebsonsecurity.com/2011/06/
court-passwords-secret-questions-
reasonable-ebanking-security/ (Accessed
21 June 2011)
[11] Vijayan, Jaikumar. (20 Apr 2011). “Phishing
emerges as major corporate security threat”.
Network World.
http://www.networkworld.com/news/2011/
042011-phishing-emerges-as-major-
corporate.html (Accessed 21 June 2011)
[12] Vijayan, Jaikumar. (9 May 2011). “Phishing
Becomes More Sophisticated”. Network World.
http://www.networkworld.com/news/2011/
050911-phishing-becomes-more.html
(Accessed 21 June 2011)
[13] Musthaler, Linda. (12 May 2011). “Don’t
open that email! How to reduce the threat of
phishing”. Network World.
http://www.networkworld.com/
newsletters/techexec/2011/
051311bestpractices.html (Accessed 21
June 2011)
[14] Helms, Karla Jo. (23 May 2011). “Cybercrime
Statistics Expose Five Industries Most Suscep-
tible to Phishing Attacks”. PR Newswire.
http://www.prnewswire.com/news-
releases/cybercrime-statistics-expose-
five-industries-most-susceptible-to-
phishing-attacks-122436438.html (Accessed
21 June 2011)
[15] Leyden, John. (3 Dec 2010). “Half of phish
marks respond to scams within one ‘golden
hour’”. The Register.
http://www.theregister.co.uk/2010/12/
03/phishing_response_survey/ (Accessed 21
June 2011)
[16] Press Release. (3 June 2011). “Kaspersky Lab
has been granted a patent for new anti-phishing
technology”. Kapersky Lab.
http://newsroom.kaspersky.eu/en/texts/
detail/article/kaspersky-lab-has-been-
granted-a-patent-for-new-anti-phishing-
technology (Accessed 21 June 2011)
[17] Neale, Gavin. (9 Dec 2010). “Which Bank would
you like with that Phish?”. M86 Security Labs.
http://labs.m86security.com/2010/12/
which-bank-would-you-like-with-that-
phish/ (Accessed 21 June 2011)
[18] Greene, Tim. (7 April 2011). “Phishing scams
dupe the most active online users”. Network
World.
http://www.networkworld.com/news/2011/
040711-phishing-research.html (Accessed
21 June 2011)
[19] Jackson, William. (8 Jun 2011). “To defeat
phishing, Energy learns to phish”. Government
Computer News.
7 of 8
Customer Involvement in Phishing Defence Jordan Schroeder
http://gcn.com/articles/2011/06/13/doe-
phishing-test.aspx (Accessed 21 June 2011)
[20] Goodchild, Joan. (14 July 2010). “Why execu-
tives are the easiest social engineering targets”.
Network World.
http://www.networkworld.com/news/2010/
071410-why-executives-are-the-easiest.
html (Accessed 21 June 2011)
[21] Cohen, Reuven. (15 JAN 2010). “GoogleHack
Proves People are Easier to Hack then Net-
works”. Cloud Computing Journal.
http://cloudcomputing.sys-con.com/node/
1248613/ (Accessed 21 June 2011)
[22] Field, Tom. (June 3, 2011). “Fraud Prevention:
The Examiner’s View”. Bank Info Security.
http://www.bankinfosecurity.com/
podcasts.php?podcastID=1151&rf=2011-
06-03-eb (Accessed 21 June 2011)
[23] Unknown. (26 May 2011). “How banks use
Twitter to combat fraud”. Net Security.
http://www.net-security.org/secworld.
php?id=11078 (Accessed 21 June 2011)
[24] Gates, Chris. (16 Dec 2010). “Conducting a
Phishing Campaign in Metasploit Pro”. Attack
Research.
http://carnal0wnage.attackresearch.com/
2010/12/conducting-phishing-campaign-
in.html (Accessed 21 June 2011)
[25] Kennedy, David. (13 Sep 2010). “Social Engi-
neer Toolkit (SET)”. Social-Engineer.org.
http://www.social-engineer.org/
framework/Computer_Based_Social_
Engineering_Tools:_Social_Engineer_
Toolkit_(SET)#Tabnabbing_Attack_Method
(Accessed 21 June 2011)
[26] Piscitello, Dave. (3 Jun 2011). “APWG Web
Vulnerabilities Survey: June 2011”. Anti-
Phishing Working Group.
http://www.antiphishing.org/reports/
apwg_web_vulberabilities_survey_june_
2011.pdf (Accessed 21 June 2011)
8 of 8
