March 17th, 2005
Phishing concerns taint legitimate email
Increasingly, people are regarding legitimate transactional e-mails from companies as fraudulent, not just mistaking phishing e-mails as real, according to Jonathan Oliver from MailFrontier. He spoke at Etech this afternoon about phishing attacks and social engineering. A recent study showed 30 percent of respondents incorrectly identified a phishing e-mail as real or real message as a phishing attack. Oliver showed slides of legitimate e-mail from Citibank and Network Solutions that people considered phishing.
Some other disturbing facts: only 9 percent got a 10/10 on a phishing IQ test; 51 million US adults were phished in the last 12 months; there was a 1,126 percent increase in phishing attacks from 12/03 to 6/04; and 5 percent of recipients who receive a phishing e-mail then click on the link.
He then showed how easy it is to set up an attack, and then came up with a figure for the average pay-off–a lucrative $1,200 per victim.
After highlighting some of the activity around corporate phishing (new employees can be targeted by phishers exploiting the Identity Directory Harvest), Oliver touched on methods for identifying a phishing email, which include: identify the sending server; identify links to the fake web server; identify that the e-mail does not originate from who it purports to come from (authentication); identify suspicious content; and identify attempts to exploit browser security holes. But he also showed cases where these don’t always work.
He concluded by saying that security solutions must use multiple techniques to be effective. But while vendors struggle to keep up, those engaged in transactional activities on the Web, such as selling products on eBay, should be on the guard as they are more heavily targeted.
