Keeping Up with the Phish: Best Practices to Minimize Phishing Pitfalls
FORT WORTH, Texas -- In a few years, phishing has gone from a largely unknown Internet crime to one of the most prevalent, with increasingly sophisticated and creative attacks targeting even the smallest of credit unions. In fact, the Anti-Phishing Working Group, a global pan-industrial and law enforcement association focused on eliminating fraud and identity theft that result from phishing, reports that unique phishing site URLs went up 757% between Oct. 2005 and Oct. 2006. The burden of dealing with these attacks has grown from a simple nuisance to an overwhelming maintenance issue.
John Brozycki, information security officer at Hudson Valley Federal Credit Union, Poughkeepsie, N.Y., detailed attackers' latest tricks, best practices for minimizing the risk, and what incident response procedures are most effective at the recent CUISPA IT Risk Management Summit.
A year ago, phishing--a scam that attempts to impersonate a legitimate, trusted institution to get people to expose information or take a desired action--largely focused on collecting credit card numbers, account numbers and passwords. Computer graphics were primitive, but still convincing to many users. Each phish was a means to an end.
Then criminals began emulating Internet Banking login pages. Phishes became more convincing, and attackers were able to capture user IDs and passwords. When institutions started telling their members to "only click on the Internet Banking link from our home page," criminals responded by duplicating institutions' sites and leading victims there to get them to access fake login pages.
Brozycki said phishing attacks now are focusing more on account access, personally identifiable information and "filling in the missing pieces."
"Incidents are more likely to be part of a bigger scheme, initiated to obtain information for use with information already held," he said. "Attacks are becoming more advanced on the high end and more automated--via such tools as spam lists and 'phishing kits'--on the low end."
Unfortunately, credit union employees may be fooled as often as credit union members. Spear phishers attempt to scam employees into clicking on links that will run a Trojan on their computers, potentially giving attackers inside intelligence or access.
How do credit unions reduce their exposure to phishing?
"Cash is king," Brozycki said. "Phishers prefer to use victim information to withdraw cash from ATMs and often have a worldwide mule network to help them do it. ATM card duplication is the most common way personal information is used. So it's important to make sure your system is checking CVV values on the cards' magnetic stripe. A large drop in activity generally occurs when this one procedure is implemented." See sidebar for other tips to reduce phishing exposure.
For credit unions wanting to develop a phishing response plan, Brozycki recommended reading and pulling ideas from other institutions' plans. Another resource can be found at: www.csoonline.com/read/100105/phish.html.
CastleCops' PIRT and Fried Phish are great resources for viewing real phish, as well as for requesting free phish site take downs, Brozycki said. Staying current on phishing techniques will help credit unions be better prepared if the techniques are used against them.
Brozycki cautioned credit unions that PIRT handlers are volunteers. "If only one volunteer is on duty, it may take 3-4 days for them to take a site down, but if a paid service is not within your budget, this is a wonderful resource."
Credit unions also may want to alert their members to an antiphishing toolbar available from Netcraft, a free downloadable tool that provides risk rating, hosting location and the date a site was registered for every Web site they visit.
Brozycki predicted that phishing will never go away, that it will continue to evolve and increasingly be used in conjunction with other techniques.
"Education is key. A lot of people don't care until it happens to them. When an identity is stolen, it's a good time to teach the member, but it's better to teach them before it happens." --firstname.lastname@example.org