It’s money for old rope!

A year or so ago, the concept of ‘phishing’ – the online scam which seeks to defraud organisations and their customers out of money by sending fake e-mails posing as legitimate communications – was almost unheard of, even in IT security circles. For those who had heard of it, phishing was so low profile in comparison with viruses and spam that it didn’t deserve much attention.

Such flippancy no longer exists. Over a short period of time, phishing has become a threat to most industries, and to financial services organisations in particular. It’s comparable in terms of prevalence to some virus outbreaks – even those categorised as high level. MessageLabs currently intercepts something in the region of 250,000 phishing e-mails each month, with a peak of over 337,000 recorded in January this year. In August 2003, we caught a grand total of only 14 phishing e-mails!

Phishing attacks have also begun to adopt a similar anatomy to virus outbreaks, with high numbers of e-mails sent out during short periods of time. In August this year, MessageLabs identified a new attack directed at a major US bank and its customers. Within five hours, approximately 125,000 copies of the phishing e-mail (which contained a URL link to a replica of the bank’s web site) had been successfully intercepted.

This number is actually higher than the number of copies of the recent MyDoom.O worm stopped during the first five hours of the outbreak. A comparatively low figure of 23,000 copies was enough to secure MyDoom.O’s place in the media archives.

It’s all about fraud

Although phishing itself is a relatively new development, it’s simply a new form of an old crime – fraud. The only difference is that, instead of a man in a smart suit turning up on your doorstep, these conmen tout their wares via e-mail inboxes.

As is the case with a great many crimes, the motivation behind all types of fraud is greed. However, phishing isn’t the only e-mail security threat with its roots firmly planted in financial gain. Rather, it’s an illustration of a trend that has been rapidly gathering pace.

Convergence – in other words the cross-contamination of e-mail security attack methods – is almost certainly driven by a desire to make money. Virus writers – many of them ‘script kiddies’ who used to release their malicious wares primarily for anti-social reasons, and to achieve a dubious form of notoriety – have teamed up with spammers to produce a much more considered brand of threat... and to make their fortune.

This partnership has eroded some of the boundaries that previously existed between viruses and spam. There’s little or no monetary gain to be had from simply distributing viruses, but the smallest number of recipients to a batch of spam can help keep the ill-gotten gains rolling in.

What spammers have realised is that by borrowing virus writing techniques they can maximise their profits. For their part, the virus writers have realised that they have a marketable skill. By using their virus writing capabilities, they’re able to hijack unsuspecting computers and create vast networks of ‘zombie’ machines.

These so-called ‘botnets’ (short for ‘robot networks) are now the preferred method of spamming, with money changing hands in order to have access to them for relatively short periods of time.

Virus writers – many of them ‘script kiddies’ who used to release their malicious wares primarily for anti-social reasons, and to achieve a dubious form of notoriety – have teamed up with spammers to produce a much more considered brand of threat... and to make their fortune

Of the three billion spam messages intercepted by MessageLabs between January and June this year, the majority had been sent via machines compromised in this way.

Longevity isn’t the aim

A complimentary trend that has developed alongside this financial opportunism is the speed with which new e-mail security threats are created and then abandoned. The perpetrators don’t look for longevity. They achieve their best results through a quick hit. This is so that they can exploit the ‘window of opportunity’ that exists in the period of time between the release of their malware and the subsequent release of signatures by traditional security vendors.

It’s this ‘window of opportunity’ that really drives the recognisable pattern for virus and spam distribution, and for other online security threats (including phishing). Periods of steady activity are typically punctuated by sudden and spectacular outbreaks as the spammers and senders of malicious code seek to exploit the period when many users – principally those relying on first generation security software – have absolutely no form of technology-based protection to hand.

A combination of greed and speed means that the scale of threat has moved on from that faced by businesses a mere two years ago. Yet many of the solutions on the market haven’t been able to keep up, and are struggling to cope with the complexity and range of threat now perpetrated (let alone the sheer volume of e-mails received).

Examining your information

Organisations wanting to protect themselves against phishing scams can take some specific actions. There are now technology-based methods of identifying and intercepting phishing-related attacks, one of the most effective of which operates at the Internet level. They should also ensure that all customers and associate organisations are aware of how they’ll be communicated with online, and the kind of information they’ll be asked to divulge.

As ever, a good general rule is to be suspicious of any unsolicited e-mail… and to think twice before following any instructions contained in an e-mail.

All the available evidence suggests that this new ‘get rich quick’ approach to e-mail threats isn’t going to disappear. The success enjoyed by many of its perpetrators means that the likely next step is the development and refinement of this approach.

Tackling e-mail security is always something of a cat-and-mouse game. When one side takes a step forward, the other has to catch up in order to stay in play. With the speed and efficiency of the threat taking significant leaps, it has never been more important to match and surpass that rapidity of development by using the multiple defence techniques on offer.