News 

Nilay Patel, Director of Sales Engineering at MailFrontier, said that enterprise phishing currently on the rise in the US is about to go global. 'We fully anticipate these new threats will reach outside of the US as consumer phishing becomes less and less lucrative,' he said.

And far more critical than the nuisance of spam, these attacks 'are designed to get assets out of the company,' he warned.

The problem lies in the trend towards outsourcing the different services needed in the enterprise, whether customer relationship management, human resources, payroll, sales or even security itself.

Patel said reliance on all these third-party outsourced systems results in a network of 'trusted communications' - regular emails into the company that ask staff to update details, download a new toolbar and a range of perfectly legitimate tasks in order to ensure things run smoothly. All ripe pickings for a phishing attack.

For example, a Directory Harvest Attack (DHA) is a brute force assault on a mail server to identify legitimate mail addresses for that domain. From there, a phishing attack could be used to obtain sensitive information, such as passwords and other credentials. Then it is a short step to changing bank account details, stopping pay checks, and even adding new names to the payroll system.

Run a DHA attack weekly and you'll quickly find out when someone new joins the company - a particularly vulnerable target, who will no doubt already be receiving requests from outsourced systems for various details.

Patel claims that companies in the US have already fallen victim to these attacks but are understandably unwilling to be vocal about it.

MailFrontier employs a number of tactics to weed out phishing mails. In much the same way as security companies apply tests to determine the likelihood of email being spam, so MailFrontier checks for phishing characteristics, claiming a 99 per cent success rate, according to Patel.

He

ADVERTISEMENT

said the company is able to be both predictive and reactive to new threats. There are key characteristics to a phishing attack that allow it to do this. One example is that while a spam mail might be sent from a zombie network, say 200 different hosts, a phishing attack is very different.

A phishing mail normally has a link to an illegal website that the victim is supposed to follow, but once the scam is exposed, that site gets shut down very quickly. Patel says MailFrontier detects and stops a new campaign within minutes. So the window of opportunity is very short compared with spam, which doesn't link to websites that are themselves illegal, and people might respond even a week later depending on how often they check their mail.

Given that limited time window, launching a phishing campaign from 200 hosts won't hit hard or quickly enough. Patel says it's not uncommon for such an attack to be generated from as many as 1,500 hosts. Where do these hosts come from? Zombie networks: infected computers that can be controlled by the attacker and can be hired by the hour on the Internet underworld.

Patel claims four or five networks might be employed for such an attack. It costs the attacker more, but the rewards are substantially greater. A man arrested recently in Colombia was netting $800,000 a week from phishing.

Using such techniques, Patel says antiphishing technology can succeed where humans cannot. An ongoing quiz by the company that tests people's ability to differentiate between phishing and genuine emails throws up some interesting statistics.

With more than 60,000 entrants, only 6.5 per cent correctly identified the legitimacy, or otherwise, of all 10 examples. But just less than half erroneously identified the legitimate emails as phishes.

And no wonder. Many companies continue to send emails which break the ground rules of legitimacy, such as correctly identifying links in emails to match the URLs in the HTML code. Finnish security company F-Secure recorded genuine emails that mask links from the likes of CA, RSA and Internet Security Systems.

If IT security companies won't play by the rules, how are mere mortals supposed to identify legitimate from phishing mail? The crowning glory is that Patel said when the quiz was taken to the RSA security conference, the IT professionals there performed poorly compared to the general public.

You can try the test yourself at here.