The online identity theft and phishing countermeasures report commissioned by the Department of Homeland Security Science and Technology Directorate recently published offer several different suggestions for securing Web sites and customer transactions.
    The Gartner group estimates that the direct phishing-related loss to U.S. banks and credit card issuers in 2003 was $1.2 billion, according to the report. Indirect losses are much higher, including customer service expenses, account replacement costs, and higher expenses due to decreased use of online services in the face of widespread fear about the security of online financial transactions.
    Both the frequency of phishing attacks and their sophistication is increasing dramatically. Descriptions of recent phishing attacks, and related statistics, can be found at http://www.antiphishing.org.
    Phishing also causes substantial hardship for victimized consumers, due to the difficulty of repairing credit damaged by fraudulent activity, the report points out.
    “Phishing often spans multiple countries and is commonly perpetrated by organized crime,” the report says. “While legal remedies can and should be pursued by affected institutions, technical measures to prevent phishing are an integral component of any long-term solution.”
    Before a phishing attack occurs, an organization that is a likely phishing target can prepare. Such preparation can dramatically improve the organization’s responsiveness to the attack and reduce losses substantially. Such preparation includes:

Providing a spoof-reporting e-mail address to which customers may send spoof e-mails.

    This may both provide feedback to customers on whether communications are legitimate, and provide warning that an attack is underway.

Monitoring “bounced” e-mail messages.

    Many phishers e-mail bulk lists that include nonexistent e-mail addresses, using return addresses belonging to the targeted institution. A spate of bounced e-mails can indicate that a phishing attack is underway.

Monitoring call volumes and the nature of questions to customer service.

    A spike in certain types of inquiries, such as a password having been changed, can indicate a phishing attack.

Monitoring account activity for anomalous activity such as unusual volumes of logins, password modification, transfers, withdrawals,etc.

Monitoring the use of images containing an institution’s corporate logos and artwork.

    Phishers will often use the target corporation to host artwork that is used to deceive customers. This may be detected by a Web server via a blank or anomalous “referrer” for the image.

Establishing monitoring for e-mail purporting to be from the institution.

    The report adds that e-mail filters intended to combat spam are often effective in combating phishing. Signature-based anti-spam filters may be configured to identify specific known phishing messages and prevent them from reaching users. Statistical or heuristic anti-spam filters may be partially effective, but to the extent that a phishing message resembles a legitimate message, there is a danger of erroneously blocking legitimate email if the filter is configured to be sufficiently sensitive to identify malicious e-mail, according to the report. So the report recommends that effective deception-based phishing e-mails and Web sites present a visual appearance consistent with the organizations that they are mimicking. The report further says that properly applied technology can significantly reduce the risk of identity theft. The report recommends:

• Monitoring potentially malicious activity such as Web site usage and domain registrations, detecting a phishing attack before it starts, and interrupting the phisher’s preparations.
• Authenticating e-mail messages so unauthenticated messages can be discarded.
• Detecting the unauthorized use of trademarks, logos and other proprietary imagery.
• Improving the security patching infrastructure to increase resistance to malware.
• Using personalized information to authenticate an email directly to a user.
• Detecting a fraudulent Web site and alerting the user.
• Using a mutual authentication protocol.

    Not all anti-phishing technology needs to be expensive, the report adds. “Some form of lightweight message authentication may be very valuable in the future to combat phishing. For the potential value to be realized, e-mail authentication technology must become sufficiently widespread that nonauthenticated messages can be summarily deleted.”
    Cryptographic signing of e-mail is a positive incremental step in the short run, and an effective measure if it becomes widely deployed in the long run, the report adds. Signing may be performed either at the client or at the gateway.
    Education is another to important countermeasure to these attacks, the report adds. It recommends that companies instruct users not to click on links in an e-mail, to ensure that SSL is being used, to verify that the domain name is correct before giving out information, and similar practices.
    Such education has not been effective: response rates to phishing messages are comparable to response rates to legitimate commercial e-mail. According to the report, there are a few reasons why this form of education has not proven effective:

• The information normally presented to a user – including the origin of an e-mail, the location of a page, the presence of SSL, etc. – can be spoofed. Therefore, a user, however well-educated, cannot reasonably be relied on to discern between a legitimate message and a phishing attack.
• Actions such as ensuring SSL is being used and checking the domain name are not directly related to a user’s normal interactions with a site, which have been found to make them very likely to be skipped.
• Users are accustomed to glitches and malfunctions, and often are not sure how to interpret phishing related behavior. Users often rationalize phishing indicators as being due to software bugs or other errors.

To enhance customer education, the report recommends that organizations not tell customers they will never use clickable links, when in fact such links are a valuable form of marketing, and never using a “call to action” in e-mail that warns of a negative consequence for failing to follow a link.