[ISN] Big Blue security report highlights 'spear phishing' threat

InfoSec News isn at c4i.org
Fri Aug 5 01:05:22 EDT 2005


By Neil Sutton 

A report published this week from IBM Corp. suggests that phishing
schemes are growing in sophistication, allowing would-be Internet
criminals to target their victims by name.

A targeted or "spear phishing" attack is designed to extract data from
a specific individual or organization, maximizing damage caused and
financial gain. IBM estimates that these types of attacks have grown
ten-fold this year alone. According to the company, they can be used
for identity theft, extortion, fraud and to steal specific
intellectual property.

"We're seeing it as a targeted security threat within financial
institutions as well as government regulatory bodies," said Michael
Small, security practice leader for IBM Canada. "It's very targeted
with a specific purpose to ensure that they try to get access to
privileged information for, usually, profit. Its concerns are linked
to cyberterrorism as well as obviously organized crime."

Until now, the most common form of phishing attacks were those that
attempt to disguise themselves as e-mail from banks or common consumer
Internet services like eBay or its payment arm PayPal. They aren't
addressed to a specific person but are sent out as widely as possible
in an attempt to snare a few unfortunates who are willing to part with
bank account information or their eBay identities.

Mary Kirwan, CEO of Toronto-based security firm Headfry Inc., said
that these types of attacks may be on the decline but agreed with IBM
that spear phishing is a growing concern.

"These are higher payoff crimes, so it's in their interest to follow
the money, essentially," she said. "There's no real consensus among
the global banks as to how to deal with that right now. Some of the
banks are acknowledging that you don't have to be a dummy to fall for
these scams."

This isn't the first time banks have been identified as a lucrative
target. In 2003, Symantec Corp. noted that a virus called
Win32.Bugbear.B was sent by likeminded criminals to financial
institutions such as J.P. Morgan Chase, Citibank and American Express.  
Security experts believed that Bugbear was designed to scan an inbox
for any indication that it belonged to a bank employee.

Recovery from targeted attacks and malware in general costs a Canadian
organization an average of $30,000 to $40,000, said Small. He added
that IBM is sharing its research with customers, partners and vendors
to help them prevent such attacks.

Nuisance e-mail like spam appears to be leveling off, according to the
IBM report. In January of this year, spam accounted for 83 per cent of
global e-mail. That number had fallen to 67 per cent by June.

There are new problems on the horizon, however. In March, a new threat
called Domain Name Service (DNS) cache poisoning was discovered. Cache
poisoning can hijack a user's browser and direct them towards a
specific site or advertisement by corrupting a DNS server's ability to
map machine host names to a correct IP address. Variations of these
types of attacks have been around for years, but cache poisoning is
becoming more sophisticated and a DNS server that isn't configured
properly is particularly susceptible.

More information about the ISN mailing list