GLOBALSIGN WHITE PAPER
The Detection and Prevention of Phishing Attacks Protecting websites from the rising threat of phishing attacks whilst safeguarding customer trust GLOBALSIGN WHITE PAPER
www.globalsign.co.uk www.globalsign.eu
GLOBALSIGN WHITE PAPER
TABLE OF CONTENTS Introduction .................................................................................................................................................................. 1 How does Phishing Work? ............................................................................................................................................ 1 What to look for in a Phishing Email ............................................................................................................................ 2 Phishing Prevention ...................................................................................................................................................... 2 Implications of using an SSL Certificate ........................................................................................................................ 4 Free Phishing Alerts with GlobalSign SSL Certificates .................................................................................................. 4 Anti‐Phishing Working Group ....................................................................................................................................... 4 Phishing Statistics ......................................................................................................................................................... 5 Summary ....................................................................................................................................................................... 6 Enquire about our Phishing Detection and Alert Services............................................................................................ 7 About GlobalSign .......................................................................................................................................................... 7
INTRODUCTION
While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face‐to‐face with the victims.
Phishing is the act of attempting to gain access to personal information such as usernames, passwords and bank details by masquerading as a trustworthy entity. A phisher utilises electronic communications that are falsified to purport from popular legitimate companies to include social websites, auction sites, online payment processors or IT administrators; all are commonly used to lure the unsuspecting public to share their private information. Phishing attacks occur more commonly by social engineering and technical trickery to steal consumers’ personal identity data and financial account credentials. These however are not the only ways phishers can launch an attack on unsuspecting victims and other phishing methods can include the following:
Technical Subterfuge/Pharming – This scheme plants crimeware onto PCs to steal credentials directly, often using Trojan keylogging spyware. The pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through Domain Name System (DNS) hijacking or “poisoning.” Phishers generally lure unsuspecting Internet users to fake websites by using authentic looking emails in an attempt to steal passwords, financial and/or personal information, or even to introduce virus attacks.
Phone Phishing ‐ Hackers can make calls disguising themselves as a person’s bank using automated calling for example. The recording mentions it is an automated call stating a mandatory verification is required, requesting them to enter their personal details including account numbers and possibly even a pin number which should never be disclosed. Wi‐Fi Hotspots – This method is commonly called ‘Evil Twin‘; an attacker fools a wireless user into connecting their mobile device to a tainted hotspot disguised as a legitimate provider. In actual fact the hotspot was setup for the hacker to eavesdrop on the unsuspecting victims personal details.
HOW DOES PHISHING WORK? Phishing scams are set up to look as legitimate and as genuine as possible by creating an email and web page that is almost identical to an official email and website of a trusted organisation, or by injecting untrusted data within an existing authentic website. The email sent by the phishers will include a link to what appears to be an “official” website, which is actually a fake site operated by the attacker. Once you have visited this website, any information you enter on the web page will be collected by the phisher and may be used fraudulently for whatever purpose the phisher has in mind.
By Using Phone Apps ‐ Even the latest Smart phones are not fully secure. Application programming interfaces (API) and applications can be used to fool customers. Android free market provides lots of free applications developed by individual users worldwide and some fake look‐a‐like applications easily fool customers. Tabnabbing ‐ This is one of the more recent types of phishing that takes advantage of people who have multiple tabs open at any one time. Phishers misuse this tendency to retrieve information of their popular websites through cookies. The hacker then plays with small favicons and creates a look‐alike page of the original website, asking for login credentials compromising their accounts. Social Engineering – The art of manipulating people into performing actions or divulging confidential information.
From beginning to end, the process involves:
Planning – A phisher decides which business to target and determines how to obtain email addresses for the customers of that business. They often use the same mass‐mailing and address collection techniques as spammers.
1
Setup ‐ Once they know which business to spoof and who their victims are, the phisher creates methods for delivering the message and collecting the data. Most often, this involves email addresses and a web page. Attack ‐ This is the step people are most familiar with ‐ the phisher sends a phony message that appears to be from a reputable source. Collection – The phisher records the information victims enter into web pages or popup windows. Identity Theft and Fraud ‐ The phisher uses the information they've gathered to make illegal purchases, or otherwise commit fraud. Source: Information Week. If a phisher wishes to coordinate other attacks, he will evaluate the successes and failures of the completed scam and begin the cycle again. Phishing scams often take advantage of software and security weaknesses on both the client and server sides, but even the most high‐ tech phishing scams work like old‐fashioned con jobs, in which a hustler convinces his mark that he’s reliable and trustworthy.
WHAT TO LOOK FOR IN A PHISHING EMAIL
Generic Greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one‐by‐one. If you don't see your name, be suspicious. Forged Link. Even if a link has a name you recognise somewhere in it, it doesn't mean it links to the real organisation. By rolling your mouse over the link you can see if it matches what appears in the email. If there is a discrepancy, it is advised not to click on the link. Requests Personal Information. The main purpose of sending a phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. Sense of Urgency. Internet criminals want you to provide your personal information immediately. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.
Poor Spelling is also a very reliable indication that the email is not authentic.
Sample Phishing Email
PHISHING PREVENTION Websites used for phishing are detected by analysing end user confidential data submission statistics. A central process such as Google bots receives data indicating confidential information submitted to websites from a plurality of user computers. The received data is aggregated and analysed, for example through statistical profiling. Through the analysis of the aggregated data, anomalous behaviour concerning submission of confidential information to websites is detected, such as an unexpected, rapid increase in the amount of confidential information submitted to a given website. Such anomalous behaviour indicates that the website is being used for phishing. Responsive to detecting the anomalous behaviour, further action is taken to protect users from submitting confidential information to that website. For example, an alert can be sent to an appropriate party or automated system, a protective measure against the site can be published, the site can be added to a blacklist, or a procedure to have the site shut down can be initiated.
2
Example of a warning message from an unsafe site From a business perspective, there are a number of things you can do to help avoid becoming a victim of phishing and to minimise damage to not only an individual, but to the organisation should it become a target. Some of the following could be considered, but may not be suitable for all types of organisations. Use Dedicated Systems for Payments including requests and approval processes. Consider disabling email access on any system involved with payment processing. If a hacker cannot compromise the systems in payment processing, they will have a harder time obtaining payment usernames and passwords, and an even harder time actually requesting/approving a transfer. Use a Strong Authentication Mechanism on all payment processing systems. This would include replacing or augmenting username/password combinations with a hardware token and PIN, or with biometrics such as a fingerprint reader. An attacker will be unable to copy and reuse strong authentication such as a token or biometrics. Block Internet Access for systems involved in payment processing. If the system genuinely has no Internet access, malware would be unable to talk back to its controlling systems and attacker. Disable the use of USB Flash Drives in payment processing systems. In some circles USB flash drives are often referred to as “malware delivery devices”. Disabling USB flash drives removes one more potential avenue for infection. Use tools available in your email
client. Outlook, for instance, has the ability to help filter potentially harmful links. Be diligent in your use of anti‐virus and anti‐malware software, including regular updates and scans. Most of the malware used as part of a phishing attack is not detected by standard anti‐virus software, but some of it is. Some malware indicators may not be changed before an anti‐virus update is available, and sometimes older versions of malware are distributed. Additionally, anti‐ virus software can help identify secondary infections that may be related to an attack. Use reputation‐based website, IP address, and URL filtering to help ensure that any systems accessed from within the company are not considered “bad” sites. You can extend this further by allowing only “white‐list” access – access to addresses that have specifically been recognised as “good” sites, (note that this has the potential to inhibit some Internet capability). Enforce time‐of‐day login and payment processing. Many fraudulent transactions occur after normal working hours. For instance, a series of large transfers that completed at 7:00pm Friday evening might be functionally ignored until staff return and see abnormal activities Monday morning. Limit access to payment processing systems from mobile devices, laptops, and systems based in home offices. These distributed systems are typically more vulnerable to threats. Do not allow access to any internal organisation system, especially payment processing systems, from a personally owned home computer. There is simply no way the organisation can enforce proper control over such a system. Conduct employee security awareness sessions to instruct employees on how to identify phishing emails and avoid falling victim to them. Any reduction in exposure slows compromise and increases your organisation’s capability to identify an escalating threat. Explicitly communicate to employees, partners and clients that you will never solicit account information via email, or send a link to update account information. Individually, there are things employees can do to help avoid becoming a victim and compromising the integrity of organisational operations:
3
Never open attachments or links in unsolicited emails. In general, be suspicious of all emails containing links. If you get an email with a link for you to click, do not click it. Navigate independently to the destination site (for example, by typing www.mybigbank.com into a new browser window) and find the referenced location without using the conveniently included link. Do not respond to suspicious emails in any manner. Use a separate computer to access emails instead of using the same computer used to initiate or approve payments. Report suspicious emails to management when you receive them. Phishers prefer to compromise websites with reputable domain names. These domains are more difficult to suspend because the domain holder is also a victim. Many website owners today find that they are unsuspectingly providing facilities for phishing attacks.
IMPLICATIONS OF USING AN SSL CERTIFICATE Many people ask the question, “Can a phishing attack occur on a site that has a valid SSL Certificate? The answer is simple – yes. Website owners must have an SSL Certificate to activate the SSL/TLS technology built into the browser and web server. Once activated, SSL provides an encrypted link between the browser and server and can be used to secure transactions or data submissions. Because SSL activates visible trust indicators such as the https, padlock and green address bar, website visitors typically have higher confidence in sites using SSL, this does not, however, stop potential phishers inserting their own code such as an additional page into the site. When a site is compromised, attackers tend to deploy phishing pages for well‐known brands deep within the site structure and then use the URL in phishing emails and malvertising. If the compromised site is using SSL, delivery of the page could be served over SSL. The new partnership between GlobalSign and Netcraft aims to reduce the risk of GlobalSign's customers being victimised by such attacks and disrupting the otherwise legitimate business of unaware site owners.
FREE PHISHING ALERTS WITH GLOBALSIGN SSL CERTIFICATES This first‐of‐its‐kind service, now included free of charge with all GlobalSign SSL Certificates, allows customers to maximise their investment in GlobalSign, by providing additional security against one of the most prevalent and persistent attacks in use by cyber criminals.
Partnering with Netcraft, a leading Internet security service provider, GlobalSign’s Phishing Alert Service offers timely notification and professionally validated alerts if a phishing attack is detected and deployed on a GlobalSign SSL secured website. Netcraft, having researched data and compiled analysis on many aspects of the Internet since 1995, produces a continually updated phishing feed which has blocked over 5 million phishing attacks since inception and is used by all of the main web browsers; ensuring websites are notified as soon as a phish is detected. There are also numerous other companies trying to help beat the phishers.
ANTI‐PHISHING WORKING GROUP GlobalSign is an active member of the Anti‐Phishing Working Group (APWG). The APWG is a non‐profit global pan‐industrial and law enforcement association focused on eliminating the fraud, crime and identity theft that result from phishing, pharming, malware and email spoofing of all types. According to the APWG, 456 phishing incidents were reported to them during a one year period between August 2011 and July 2012, significantly higher from previous year. Official APWG reports also show that Linux, Apache, MySQL and PHP remain the most frequently targeted hosting environment for phishing attacks.
4
Phishing At P ttacks per Y Year ons from APW WG request that t victims oor Reccommendatio the eir hosting co ompanies are to incorporatte vulnerabilitty scaanning as partt of “secure deeployment” sttrategies. Fou unded in 20003 by David Jeevans, the AP PWG has morre thaan 3200+ members from more m than 17 700 companiees and d agencies wo orldwide.
PH HISHING S STATISTICS During the last ffew years thee number of p phishing attackks hass risen dramattically. Below are a few nottable statisticss.
To date, th he RSA Anti‐FFraud Comma and Center haas shut dow wn 770,773 phishing attacks in 1887 countries. The US and d UK were tarrgeted by the e most phishinng attacks in D December 20 012 with a com mbined 65% oof total volum me, while India and Canada a represented a combined 113% of phishing volume. The US was once again the top hosting country foor n December 2012 with 53% 5 of attackks phishers in hosted follo many, the UK and Brazil. owed by Germ RSA saw ph hishing attackks increase 59% in 2012 witth estimated global lossees of $1.5 billion. b 40% oof phishing pages are taken down witthin a day annd nearly sixtyy per cent within 2‐3 days. Every minute 232 com mputers are infected witth malware.
urce; http://w www.rsa.com//phishing_reports.aspx Sou No ot surprisingly the top five phishing ema ail subject linees in 2 2012 were: 1. Your accountt has been acccessed by a th hird party 2. (Bank Namee) Internet Banking Customer Servicce Message 3. Security Meaasures 4. Verify your aactivity urity Notificattion 5. Account Secu urce; Websensse Security La abs Sept 2012 Sou
This graph sho T ows that the nnumber of phishing attacks has grown substan g ntially year onn year since 2 2010, with a 3 38% growth from 2 g 2010 to 2011 and significan nt growth of 7 72% from 2011 to 2 2013.
Phishing At P ttacks per M Month 2011 1 ‐ 2012
Looking L back over the yeaar, you can see that phish hing attacks peaked a d in the summ mer months between June and August and dr A opped in Septtember. The lowest month h for attacks a was in March with 19,141 1 attacks beeing laaunched. In D December 20 12, there werre 29,581 attaacks laaunched worrldwide. Thiss shows a 40% 4 increasee in comparison w c ith Decemberr 2011.
5
To op Countrie es by Attack k Volume ‐ D December 20 012
Top Countr T ies by Attaccked Brand ds – December 2 D 2012
Thiis pie chart indicates th hat the US was w the moost tarrgeted country worldwiide in Deccember 201 2, acccounting for 46% of phisshing attacks,, with the U UK following with 19%.
This T pie chartt shows that the US was also the high hest targeted coun ntry for brandd attacks in December 20 012, with w 28%, followed by UK brands, whicch accounted for 10% off the at 1 tacks.
Source; RSA Ja S anuary 2013 M Monthly online e Fraud Reporrt
SUMMAR S RY
Nu umber of Brrands Attaccked ‐ 2011 1 to 2012
Cybercriminals C s are continuaally finding ne ew ways to avvoid detection d an nd develop techniques to manipulate communicatio c ons and impprove the su uccess rates of phishing attac p ks. There aree multiple pre ecautions alreeady in n place such h as web bbrowsers takiing preventative measures m to blacklist com mpromised we ebsites, although this can also present furtther concern ns for legitim mate businesses wh b o are also a vvictim of cyberr fraud.
Over the past 122 months, thee number of b brands attackeed hass remained faairly steady wiith only a slight drop in Junne and d July. The low west month of the year was July with onnly 242 2 brands attacked in thaat month. Th here were 2557 braands attacked in Decemberr 2012, only one more attacck thaan December 2011.
There T are man ny preventatiive measures and precautiions that organisattions can alsoo implement to ensure their websites w and networks reemain secure e. This has now n become b more vital than evver in ensurin ng that custom mer trust is not dam maged.
As A a result off partnering w with Netcraftt, GlobalSign can provide p a more m compreehensive servvice to its SSL Certificate C cusstomers. On detection of a phishing site, s using u a Globa alSign SSL Ceertificate, Ne etcraft will alert a GlobalSign, en G abling instantt notification to either the site owner, o or the hosting com mpany that applied for the SSL Certificate C on behalf of thhe customer. GlobalSign will advise a the compromised ssite customerr on remediattion steps, s or if the site has been created d specifically for malicious inte m nt, GlobalSignn will automattically revoke the associated SSL a L Certificate.
6
ENQUIRE ABOUT OUR PHISHING DETECTION AND ALERT SERVICES To learn more about GlobalSign’s Phishing Detection and Alert Services please visit our website, or contact us for further information. We would be happy to discuss your specific requirements. https://www.globalsign.co.uk/ssl/secure‐website‐services/
ABOUT GLOBALSIGN GlobalSign was one of the first Certification Authorities and has been providing digital credentialing services since 1996. It operates multi‐lingual sales and technical support offices in London, Brussels, Boston, Tokyo and Shanghai. GlobalSign has a rich history of investors, including ING Bank and Vodafone. Now part of a GMO Internet Inc. group company ‐ a public company quoted on the prestigious Tokyo Stock Exchange (TSE: 9449) whose shareholders include Yahoo! Japan, Morgan Stanley and Credit Suisse First Boston. As a leader in public trust services, GlobalSign Certificates are trusted by all popular Browsers, Operating Systems, Devices and Applications and include SSL, Code Signing, Adobe CDS Digital IDs, Email & Authentication, Enterprise Digital Solutions, internal PKI & Microsoft Certificate Service root signing. It's trusted root CA Certificates are recognised by all operating systems, all major web browsers, web servers, email clients and Internet applications; as well as all mobile devices. Accredited to the highest standards As a WebTrust accredited public Certificate Authority, our core solutions allow our thousands of enterprise customers to conduct secure online transactions and data submission, and provide tamper‐proof distributable code as well as being able to bind identities to Digital Certificates for S/MIME email encryption and remote two factor authentication, such as SSL VPNs.
GlobalSign US & Canada Tel: 1‐877‐775‐4562 www.globalsign.com sales‐
[email protected]
GlobalSign EU Tel: +32 16 891900 www.globalsign.eu
[email protected]
GlobalSign UK Tel: +44 1622 766766 www.globalsign.co.uk
[email protected]
GlobalSign FR Tel: +33 1 82 88 01 24 www.globalsign.fr
[email protected]
GlobalSign DE Tel: +49 30 8878 9310 www.globalsign.de
[email protected]
GlobalSign NL Tel: +31 20 8908021 www.globalsign.nl
[email protected]
7