Once Crude, Phishing Attacks Grow More Sophisticated and Dangerous
And they don't even know it.
That's because phishers and other fraudsters are once again taking a technology that can do so much good and twisting it for criminal use. In this case, it's the computer-sharing technology that space scientists used to recruit thousands of people willing to donate their computers' idle processing time to enormous calculations needed to understand the universe.
They're called botnets, and they're planted by Trojans and other malware in personal computers around the world, turning them into spam-spewing zombies and helping to host attacks aimed at gathering account numbers and other information that can be used to drain banking accounts.
While the methods have grown more sophisticated, the song in many ways remains the same, according to IT security experts in the financial services industry.
"Phishing continues to be a growing threat for all financial institutions," said Greg Ogorek, manager of antiphishing for Cyveillance, an IT security firm based in Arlington, Va.
"Although we've seen ups and downs in the number of unique monthly phishing attacks, the number of institutions that phishers are attacking are steadily expanding," said Ogorek, whose company includes about 100 credit unions on its client list of about 450.
"I think this tells us that credit unions should be aware that even if they're not being targeted now, it's only a matter of time," he said.
"It also should be noted that as the phishers and other fraudsters become more automated and more sophisticated, they're able to attack even the smallest of brands with the smallest amount of effort," Ogorek said.
"It's interesting because in the earlier days, when phishing first started, the attacks were kind of lame," he added. "They used badly formed, crummy English in the e-mail, and their attacks could be easily dissected and mitigated. But that's not the case anymore."
Gone, too, are the days when a credit union or its security firm simply contacts the Internet service provider hosting the phisher. Botnets infecting hundreds of thousands of computers, often unbeknownst to their owners, can generate seemingly endless series of short-lived IP addresses, allowing phishing attacks to go on much longer before they're caught.
Of course, these attacks go nowhere unless the consumer takes the bait.
"I think the primary role for credit unions is to continue to educate and provide awareness to their members of the realities they need to be safe," said Tim Wooldridge, vice president of virtual branch services with Fiserv's credit union operations.
"And I think that comes through consistent education, consistent messaging, making sure that message is heard throughout the year," said Wooldridge, whose operation serves about 1,400 credit unions.
Wooldridge sees complacency as a problem in another arena.
"We have seen an explosion in social networking over the past year or two," he said. "It's great stuff and a great way to connect, but some of the cultural attitudes that go with it cause people to tend to let their guard down a little bit."
"Hackers and other people who want to phish will go where the people are, and those sites are where they'll find them. We need to remind people that just because they're on a social networking site, that doesn't mean they're necessarily just among their friends," Wooldridge said. "Credit unions really need to keep pressing that message of awareness and caution."
Deb Geister, director of fraud prevention and compliance solutions at LexisNexis, agreed.
"The best thing we can do in this environment is education, both on the credit union side and on the member side," said Geister.
"You have to make sure they know their credit union is never going to call them on the phone and ask for personally identifying information. And they're not going to suddenly show up on your online banking site and ask for that either," Geister said. "Your credit union already has that information. They don't need to ask you for that. Members need to know that."
Along with social networking sites, other new areas where fraudsters are getting personal info are from credit report sites that sell the kind of information that a fraudster can use to convince someone to hand over compromising information, Geister said. She said she's also seen reports of packages of identities being sold on eBay.
Even the old Nigerian letter scams still work sometimes, she said. "For fraudsters, it's a numbers game. They're going to hit on a certain percentage, and that makes it worth it. I was raised on a farm and always think back to my father, who in his infinite wisdom used to say, 'If it seems too good to be true, it probably is.'"
Geister also said she was concerned about the growing use of mobile banking and the introduction of decoupled debit cards as potential security threats. Of the latter, she said, "Now all of a sudden you have someone doing ACH transactions in my system, which is going to be very difficult to track from a compliance perspective. The mobile channel is also something we're highlighting to regulators, so we can all work to make that as safe as possible."
The demand for online, mobile and other remote channels that may evolve in the future are only going to grow, creating more users and more thieves targeting those users.
"The swine flu scare we just went through really brought this to mind for me," said Wooldridge at Fiserv's Credit Union Solutions. "We're all thankful that this did not hit anywhere near the level of pandemic that everyone feared, but if you think about it, you can expect something like that to really drive the level of online usage up, maybe vastly."
"Really, in general, people are doing more and more in virtual settings rather than going to branches for services or paying bills electronically or whatever they're doing. And while that's incredibly positive, it's also an opportunity for phishers, too, and we'll just have to keep going back to education and awareness and the fundamentals of what members have to do to be safe."
Education and using what's available aside, simply running security software isn't complete protection, noted Ogorek at Cyveillance. He said his company tested known malware through 15 different antivirus programs and found that they picked up the problem only 20% to 30% of the time overall.
"Two of them came out a little better, at about 50%, but we're talking about the major antiviral programs out there, and you have only a 50% chance of stopping some of this malware," he said.
Antiphishing plug-ins on browsers also can help, he said, but even then that's often not enough.
"You can teach all your members to do all the right things, like only typing in their URL and not using links, but when it comes to pharming, where the credit union's DNS itself has been compromised, it doesn't matter," he said.
"My fear is that underlying threat, all those people out there whose computers have been compromised and their accounts accessed, and they don't even know it because nothing's been taken," Ogorek continued.
"I think we're looking at a looming cloud, and
it's just a matter of what that cloud will become,"