Anti-Phishing Best Practices:

Transcription

1 Anti-Phishing Best Practices: Keys to Aggressively and Effectively Protecting Your Organization from Phishing Attacks Prepared by James Brooks, Senior Product Manager Cyveillance, Inc.

2 Overview Phishing is defined by the Financial Services Technology Consortium (FSTC) as a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them. In short, it s online fraud to the highest degree. For criminals, phishing has become one of the most common and most effective online scams. The schemes are varied, typically involving some combination of spoofed junk (spam) , malicious software (malware), and fake Web pages to harvest personal information from unwitting consumers. Customers of well known and lesser-known companies alike have fallen victim to this pervasive form of online fraud. Western Union, AOL, SunTrust, ebay, Amazon, PayPal, EarthLink, and Citibank are just a few examples of the many companies who have found themselves and their customers persistent victims of phishing attacks. During the six-month period ending February 28, 2006, Cyveillance detected phishing attacks against over 250 different brands in eight different industries across 13 countries. Phishing attacks are growing at a torrid pace the number of unique phishing websites detected by APWG (Anti-Phishing Working Group) in December 2005 alone exceeded 7,000 a huge increase in unique phishing sites from the previous two months. Phishing has a huge negative impact on organizations revenues, customer relationships, marketing efforts, and overall corporate image. Phishing attacks can cost companies tens to hundreds of thousands of dollars per attack in fraud-related losses and personnel time. Even worse, costs associated with the damage to brand image and consumer confidence can run in the millions of dollars. The goal of any organization that is or may be targeted by phishers is to prevent or minimize the impact of phishing attacks. This can only be achieved by the development and implementation (using in-house or outsourced resources) of a comprehensive phishing protection and response plan. In all cases, the plan s success hinges on solid support and ongoing communication throughout the entire organization. Key objectives of an effective phishing protection and response plan should include: Identification of the appropriate stakeholders and their responsibilities clearly expressed Compatibility with existing processes and procedures. Your plan must work within the daily operational flow of business. Depending on the size your organization and availability of resources, the best decision may be to outsource. Creation of an effective internal and external communications process for the organization Creation of a solid phishing response escalation path Minimization or avoidance of negative customer experiences. Preserving consumer confidence in using online services is crucial. Reduction of financial losses associated with online fraud Proactive protection of reputation your corporate 1

3 A phishing protection plan should focus on four primary areas: Prevention, Detection, Response, and Recovery. High-level recommendations for each of the four areas are outlined in the following sections. Prevention: Make Your Organization a Tough Target Phishing is not a technology-driven problem. Phishing is first and foremost a human-driven problem that leverages technology. Therefore, phishers will attack trusted brands that provide the least resistance, enabling the highest return for their efforts. Your goal should be to make your organization extremely difficult for phishers to successfully mount an attack. To achieve this degree of difficulty an organization should follow all of the following steps: Establish ownership and accountability of the problem All too often, an organization s first reponse to a phishing attack is reactive and knee-jerk. The attack and its consequences become an organizational hot potato with ambiguity surrounding what to do next. It s crucial to identify a central authority before you re attacked with clear accountability for policy and action. It will streamline communications, critical in the throes of an attack. In addition, set up the appropriate Emergency Response Teams with clearly defined roles and responsibilities. You ll also want to create a Phishing Abuse Hotline or special inbox for customers and employees to report suspicious messages. Educate employees about phishing Communicate early and often to your employees about your efforts to combat phishing. Make sure staff are well acquainted with the correct policies and procedures to use in the event of a phishing attack. Educate customers about phishing All your customer communications should include clear messaging about phishing prevention. Create corporate policies for content so that legitimate cannot be confused with phishing. This includes s, account statements, direct marketing materials, etc. Be very clear with your customers about the steps they should take if they ve fallen victim to phishing or identity theft. Finally, be sure that your policies about phishing are prominently displayed on your organization s primary website. Follow good customer practices Don t get too clever with marketing tactics. Use consistent formats and practices for customer communications. The use of consistent practices trains your customers to know what to expect upon receiving your communications, increasing the likelihood that the customer will easily spot a fraudulent . Good practices mean never including requests for personal information, attachments, hyperlinks or link obfuscations. Standard, consistent formats are best. Conduct a thorough audit and inventory of online assets This includes Registered Domain Names both live and parked, plus all websites with their corresponding URL s that are owned by or affiliated with your organization. Having a complete, organization-wide inventory of all registered domains allows for fast identification of a newly registered domain that may be used as part of a phishing attack. 2

4 Stay abreast of all emerging trends and technologies being deployed by phishers to commit fraud. Particularly today, the news is filled with the latest phishing attacks on global corporations large and small. What s more, become familiar with professional groups and associations like APWG, the Anti- Phishing Working Group ( In addition, build an international network of contacts in the legal, government, and ISP communities. These resources will help to identify the sources of phishing attacks and get Web sites and accounts shut down quickly. Many of these attacks originate outside of the United States, so it s crucial to be prepared with a global escalation matrix. Detection: Speed is Everything Detection is central to any phishing protection and response plan. The speed of detection is crucial in limiting the amount of fraud losses caused by a phishing attack. Essentially, the longer a phishing site is live (and unnoticed) the more potential it has to cause damage. The steps of detection are shown in the table below and employ a number of strategies for detecting phishing attacks from junk (spam). Fact is, the best protection from phishing is vigilance. The APWG reports that typical phishing sites are live for an average of 5 days, with some staying live much longer. The sooner a phishing site can be detected, the sooner it can come down. Effective detection methods can reduce the average phishing site takedown time from days to hours. Table 1: The Six Key Steps to Detection Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Obtain junk from honey pot accounts. Use pre-sorted feeds from Internet Service Providers (ISP s) and anti-spam companies. Filter both internally received spam and externally provided feeds for attacks against your organization. Search the Web to identify any Web sites masquerading as your organization s Web site. Continuously monitor the Internet for suspicious new domain registrations and changes to existing domain registrations. Provide 24x7 coverage of your organization s Fraud Hotline and inbox 3

5 Response: Communication is Key Your organization s response to a phishing attack will ultimately determine the extent of the damage caused by the attack. Obviously, the faster a site is brought down the less damage it can cause. How your organization handles the phishing attack will directly impact the effectiveness of the phishing site takedown procedures. Steps to an effective response plan are outlined below: After a phishing site is detected and confirmed, immediately initiate site takedown procedures using your internal staff or outsourced service provider. 1. Assess the size and scope of the phishing attack. 2. Obtain information about the site and the ISP hosting the site. 3. Contact the ISP to request the site to be removed escalate to the ISP s local authorities as needed. 4. Maintain contact with the ISP until the site is brought down and is no longer a threat to your organization. Contact the appropriate individuals based on your organization s escalation procedures. Provide the URL of the detected phishing site(s) to ISP s and security companies. These companies use the URL s to block and/or alert their subscription-based members from gaining access to the fraudulent sites. Notify the appropriate legal authorities to report the crime. Alert your customers. The best way is to post an alert directly on your Web site with a brief description of the attack. Create a Phishing Site Summary Report after the site is successfully taken down this report will provide important historical evidence for investigative purposes. Recovery: Have the Process in Place Recovery from a phishing attack can be just as important as responding to the attack itself. In this phase of your organization s phishing protection and response you need to focus on minimizing the impact of the phishing attack. The steps to an effective recovery plan are listed below: Once a site is shut down, work to gather all forensic information as well as any compromised customer data. Continue monitoring the site for at least ten (10) days to ensure the site doesn t go live again. Have drafted press releases and company statements prepared to address any external inquires from customer or the media regarding a phishing attack. Legal actions pursued by law enforcement and commercial organizations such as AOL and Microsoft, coupled with significant improvements in investigative and forensics technologies will drastically increase the number of successful phishing prosecutions. 4

6 Search the Web, message boards, and chat rooms to locate and retrieve your customers stolen credit card and debit card numbers, login names and passwords, and other personal information compromised from the attack. The quick retrieval of this information reduces the overall cost of the phishing attack and significantly improves customer attrition due to fraudrelated events. Conduct a post-mortem on the attack to identify areas for improvement. Conclusion Phishing is a problem that will be around for the foreseeable future. Phishing schemes continue to proliferate because they continue to work, becoming more sophisticated and better able to hide from detection. It makes good business sense to take a hard look at your company s readiness, ascertain your preparedness, and devise a solid, aggressive plan to combat the problem of phishing. Doing so is a win-win for the security professional, the customer, and the business as a whole. About NAFCU and Cyveillance NAFCU is the only national organization that focuses exclusively on federal issues affecting credit unions, representing its members before the federal government and the public. For more information, please visit About Cyveillance Cyveillance provides online risk monitoring and management solutions to Global 2000 organizations. The company comprehensively monitors the Internet using patented technology to deliver early warning of risks to information, infrastructure and individuals. Armed with this actionable intelligence and Cyveillance s immediate corrective response capability, chief security officers can proactively protect their company s reputation, revenues and customer trust. Cyveillance counts over half of the Fortune 50 and three quarters of the top Fortune 500 companies in the financial services, pharmaceutical, energy, and technology industries as clients. NAFCU Services Corporation th Street North Arlington, VA Tel: /06 Copyright 2006 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are trademarks or registered trademarks of their respective owners.