Dealing with a phishing attack

As phishing attacks have grown, the defences and mysterious counter-measures have evolved. Uri Rivner, Head of New Technologies at RSA Cyota Consumer Solutions, tells a detective's story.

The following article is by Uri Rivner and has been reproduced on OUT-LAW from the RSA Security blog with Uri's kind permission.

In detective stories, one of the last things that the detective finds is the motive. Find the motive, and the whole plot is unveiled. I think the same applies to fighting fraud. When developing solutions against fraud, it's important to discover the motive, the root, the invisible reason behind the visible behavior of the fraudsters. Find the motive, and you're halfway to solving the crime.

To illustrate this point, I'd like to talk about the evolution of anti-phishing services. Phishing wasn't the first type of fraud hitting online financial institutions; some keyloggers were already in use before phishing became a mainstream crime. The first reports of wide-scale email fraud came from Australia and Brazil, soon spreading to more lucrative targets – the US and the UK – and in late 2003 it became clear that the global financial industry was facing a new menace.

First to introduce "anti-phishing solutions" were anti-spam and brand monitoring companies. Anti-spam providers offered alert services based on scanning spam emails and finding specific keywords such as 'online banking', 'password', and the name of the targeted bank. Brand monitoring companies, who were already working with banks to fight unauthorised use of their logos and brand names, offered to extend the service to phishing and provide early detection of attacks. There's an interesting point to mention in this context: in the brand monitoring business, detection is vital. No-one is likely to call customer service in a panicked voice to report brand abuse, like people do when seeing a phishing email; the misuse can stick around for weeks or even months before a chance discovery – if you're lucky. So from a brand monitoring company's perspective, detection is everything.

The benefit of fast detection, of course, is that the bank will know about a phishing attack as soon as the emails are sent, and this minimizes the 'window of opportunity' for the bank's unsuspecting customers to hand over their credentials to the bad guys.

In these early days, however, the market did not offer any better solutions, so banks hit by phishing were happy to try these "anti-phishing solutions".