A New Angle on PhishingBanking, Security Groups Launch Anti-Fraud Initiative
See Also: How to Defend Your Attack Surface
Just weeks earlier, the Federal Bureau of Investigation issued a warning about a new Zeus malware attack targeting commercial bank accounts, ultimately leading to incidents of corporate account takeover. The Zeus variant used is called Gameover, which defeats several forms of dual-factor authentication and is delivered via phishing attacks. [See FBI Warns of New Fraud Scam.]
Nearly half of all phishing attacks waged during the first half of 2011 targeted the financial sector.
These are just two of the most recent examples of phishing attacks against consumer and commercial banking customers. How bad is the phishing landscape? According to the Anti-Phishing Working Group's Phishing Activity Trends Report, which reviews the first six months of 2011, banks and other players in financial services continue to be the organizations most often targeted by phishing schemes. Nearly half of all phishing attacks waged during the first half of 2011 targeted the financial sector. Another 26 percent targeted payment services.
Spear phishing, or targeted phishing schemes, are the industry's most concerning phishing trend, the APWG says. "These are hyper-focused, often personalized phishing attacks directed against specific company executives, IT personnel and management personnel with corporate treasury authority and/or access to company online bank accounts," the APWG report states. "These e-mails tend to evade spam filters, unlike the broad-based consumer phishing e-mail campaigns. The spear-phishing e-mails either contain an attachment that can infect the recipient's computer with sophisticated financial malware, or contain a link to a website that can infect the recipient's computer with financial malware and Trojans."
A New Approach
We can't stop the phishing attempts. Executives at BITS and FS-ISAC have accepted that fact. And now they're trying a new approach.
BITS, the technology policy division of The Financial Services Roundtable, and the Financial Services Information Sharing and Analysis Center have announced the launch of the Trusted Email Registry. The registry collects information about e-mail traffic from Internet service providers and then offers domain-specific reports about trusted and non-trusted international domains financial institutions can review.
The service aims to provide banks and credit unions with standardized reporting that's easy to understand.
Andrew Kennedy, who's overseeing the new e-mail service for BITS, says enhanced e-mail monitoring is the only way to address online security.
"BITS has been working on e-mail security and e-mail authentication for years," Kennedy says. "One of the biggest drivers from our end has been the phishing attacks that have become more sophisticated over the last few years."
The Root of Phishing
These two organizations are working to take online security in the banking space to the next level. Rather than focusing on the impossible task of how to stop phishing, they've instead chosen to hone in on getting to the root of phishing.
By having banks track phishing attacks back to their hosts, BITS and FS-ISAC are asking institutions to look beyond simple blocking.
The registry approach will have to prove itself over time - granted. But it represents a revolutionary approach, at least for the financial industry.
Phishing is a serious issue for banks, credit unions and their customers. It's time for the industry to tackle it seriously.