Issue No. 01 - January-February (2005 vol. 3)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2005.21
PHISHING ATTACKS RISING, BUT DOLLAR LOSSES DOWN
New research suggests that phishing attacks, although increasing rapidly, aren't proliferating on a wildfire basis. Instead, they might actually be controlled by a small number of criminal organizations, and dollar losses once estimated at more than US$1 billion might be just above one tenth of that.
However, the psychological toll phishing scams place on both service providers and end users can still cripple e-commerce.
"There are really two kinds of victims in phishing attacks," says Paul Judge, chief technology officer of Ciphertrust, a global email security firm. "On one end, you have end users losing x amount of money. A different perspective we hear from our customers all the time is, 'I'm a large financial services institution and can't send emails to my customers because they don't trust us anymore.' Many users are kind of defaulting to not trusting any message that seems to be from one of the institutions they do business with. This inability to communicate with customers is a denial of service unlike any we've ever seen. Look at the costs from that perspective, and it goes beyond the actual dollar amount that's been stolen from accounts."
Ciphertrust researchers analyzed global email data from the first two weeks of October 2004 and discovered that most phishing attacks (estimated at about 1 percent of all email sent) come from fewer than five networks employing thousands of zombie computers hijacked to spread fraudulent soliciting emails ( www.ciphertrust.com/resources/statistics/phishing.html). Judge says the people running the phishing scams will use 1,000 computers out of a network typically containing 14,000 to 17,000 compromised machines on a rotating basis—usually switching machines daily.
The old perception of phishing attacks was that they originated via a disorganized wildfire pattern. Now, Judge says, researchers are pinpointing specific IP blocks from which fraudulent messages originate.
"I think many people were approaching it with blinders on, looking at individual messages," Judge says, "and looking at these messages as trees everywhere. What we've been basing our technology on [over] the last couple of years is stepping back from all that and taking a wider view, and what we were able to say was, 'There are a couple of forests out there, and here's what's going on.'"
Judge says Ciphertrust researchers rely on the theory that the Internet supports a small set of trusted mail senders and, conversely, a very large set of untrusted and suspect senders that typically don't send legitimate mail.
"A very small set of senders are these trusted legitimate organizations, so what we've focused on is how [to] identify this trusted network of senders," Judge says.
By analyzing and cataloging messages from legitimate senders, Judge says, security experts can then isolate outliers and check IP addresses for phishing scams.
George Tubin, senior analyst at TowerGroup, an analyst firm specializing in financial services, says vulnerable organizations are learning to monitor Web logs for visitors attempting to get graphics off their sites. They're also beginning to match logins from registered users for traits such as time zone and geography. A message originating from a server in eastern Europe purporting to be a user who usually logs in from a site in the northeastern US, for example, will be flagged for analysis.
"The bigger banks that have been putting this stuff in place say phishing is almost a non-issue with them," Tubin says.
Tubin and his colleagues at TowerGroup estimate that quantifiable fraud losses in 2004 from phishing are much less than the widely quoted US$1.2 billion dollars (see www.thestandard.com/article.php?story=20040617173836939). TowerGroup pegs the loss at $137 million, but Tubin concurs with Judge that the cost of managing antiphishing efforts and maintaining trust among users is actually far more than that dollar figure.