Phishing Update: 'No Brand is Safe'Expert Advice on How Organizations Can Manage Phishing Risks
Targeted phishing attacks are at an all-time high, and one reason for the proliferation is a non-unified response from industry and government, says Peter Cassidy of the Anti-Phishing Working Group.
Industry and government, on the one hand, are bogged down by rules and regulations, says Cassidy, secretary general of the APWG, which recently released its report on Q2 2012 global phishing activity [see: Phishing Update: 'No Brand is Safe'].
"Therefore it has made it really difficult for us in the government and industry to be more unified in efforts to counter cybercrime in a consistent, systematized way," Cassidy says in an interview with Information Security Media Group's Tom Field [transcript below].
"The bad guys have one great thing going for them," says Cassidy. "They have no rules. They have one imperative - make money."
Organizations know these phishing attacks are going on, Cassidy explains. "But we haven't come to the conclusion where we have decided how to make systematic and to automatically respond to these things and put them down quickly so that we close the window of opportunity of profit on these perpetrators."
In an exclusive interview about the latest phishing trends, Cassidy discusses:
- Highlights of the APWG's new report;
- Where organizations are gaining/losing ground;
- How to improve employee/customer resistance to phishing.
Cassidy is the secretary general of the Anti-Phishing Working Group (APWG). He has cultivated the organization since 2004 into an internationally-recognized authority on electronic crime, with more than 3,200 members from more than 1,850 information technology companies, law enforcement agencies, government ministries, universities and research institutions worldwide.
He is a product development consultant, software designer, industrial analyst and widely- published writer, speaker and commentator on information security, white collar crime and electronic crime. Cassidy has been investigating the intersection of security technologies, electronic commerce, public policy and financial crime for decades in his many capacities.
Global Phishing Activity
TOM FIELD: Let's talk about a couple of the highlights. One of the things that jump out from the report is that attacks on brands are at an all-time high. How should we interpret that statistic?
PETER CASSIDY: It seems as if the bad guys have continued their campaign against a diversified set of brands, diverging from the big brands that have been the focus of their efforts for the first few years. Now there's just about no brand that seems to be safe, or no kind of company or enterprise that seems to be safe from the surge of phishing. The phishers are creative in looking at any kind of relationship between a consumer and an enterprise and trying to figure out a way that they could get between those parties, pretend to be the enterprise and figure out a way that would convince the customer that he/she needed to trust them and then hand over some information that will be useful for their criminal enterprise.
FIELD: One of the other things that jumps out is that there's a spike in the number of unique phishing sites as well. How should we read that?
CASSIDY: That statistic is really about the efficiency of the bad guys in deploying vast numbers of phishing sites, sometimes in single campaigns, to make it more difficult for the good guys to put down the campaign and to end the financial violence against the consumers. It speaks more to their strategies that are continuing to get more efficient all the time in terms of opaquing their activity through vast amounts of activity, sort of clouding it.
FIELD: And Trojans seem to be the dominant means of infecting PCs. My question for you is: why are Trojans still so successful and what can we do better to combat them?
CASSIDY: They're successful because they're designed first to be opaque, to be invisible to a lot of different kinds of filtering systems. The only thing you can do is continue to tune the anti-virus software to intercept the stuff and to teach people that their habits of navigation online really matter. If they're wandering along a lot of unknown sites and a lot of unknown places on the web, they expose themselves to infection. They can't just click on link after link after link and click on joke after joke after joke that comes in on the instant messenger or e-mail. They have to use the computer the way they use their car. You just do not go into an abandoned industrial park after 1:00 in the morning thinking you're going to find something useful there for yourself. That's what people do on the Internet. They spin their wheel and they go into parts of the Internet that they have no business being in.
At the end of the day, they pick something up that either infects them directly or exposes them down the line to be infected and abused. Part of it is the work of the industry to keep coming up with better AV tools, to come up with more secure software, to deploy more secure web pages, but it's also the daily work of consumers and maybe government agencies to get the message across - be careful; be step-wise; don't go places without a reason on the web.
PC Infections Down
FIELD: A piece of good news came out of the report - at least that's how I interpret it - and that's that the number of infected PCs is down. What do you attribute that to?
CASSIDY: Public awareness. People are getting it. Little shows on the Internet, like your podcasts, items on the radio, in very popular media like newspapers, people will pick up the newspaper and there are things about phishing and financial crime; in the business page, in the news page and in the feature pages, [there's] how to keep your kids safe online on the feature page; the damage caused by cybercrime in the business page; local bank getting attacked in a phishing campaign on the news page. You see this in general culture. People are becoming aware and they're talking about it. They're telling each other, "How can I be careful about this stuff? How can I use my PC for my online banking, because I'm doing that now every Sunday afternoon? I come home after church or temple and I sit down with the ledger and the spouse and we do our online banking. How can we be safe?" The cultural conversation now is about safety online and that's a good thing. It's becoming integrated into the general culture, taking care of family, home and kids.
FIELD: Well that's good news and it's great that the awareness is up and the number of infected PCs is down, and yet we're just talking about the attacks on brands at an all-time high and the spike in the number of unique phishing sites. So when does this awareness sort of result in some success in phishing?
CASSIDY: When it stops making enough money for the bad guys to pursue it, which is something that can't be done by awareness alone. I'm aware of the bombs falling around me; it doesn't mean I can stop the war. The public awareness stuff is really sort of more of a public health issue than it is sort of a forensic or response issue. These numbers come down or they disappear or they maintain at a level over time that never goes up again. It becomes part of something that industry and government manages. That's what really winning is. Let's say we stop at 392 brands and for the next ten or 15 years that's what it was. Industry would manage that. Winning is not the same in this kind of context. It's not good to see the stuff continue to rise and continue to see the damage rise, but at some point we will become efficient enough to make this a manageable and predictable event, kind of like the flu in the winter.
Winning/Losing the Battle
FIELD: You've been fighting this flu for a particularly long time, so my question for you is where do you see organizations both winning some of the battles and continuing to lose?
CASSIDY: Winning the battles on the operating systems are getting more secure. Industry is getting more aware at the operating system level of what works, what is abused most often by the bad guys to infect machines and in software. Development of software now is a keystone of a lot of software projects from the get-go in security. It's not something that's built on anymore. It's integrated into the working specifications of the software. That awareness on the industrial and development side is a huge win. It's changing things. It's making some things easier and some things more difficult for the developers, but at the end of the day the things that roll out are consistently more secure than things that were rolled out ten years ago. So that's a win.
We're not losing ground, but we're definitely not gaining ground in the ability for industry and industry in partnership with government to respond in a more unified way. It's one of the things that really have stymied the response community. The bad guys have one great thing going for them. They have a lot of good things going for them. Me and you are on the wrong teams sometimes, it appears. They have no rules. They have one imperative - make money. And they have no rules in the way. The rest of us, we have lots and lots of rules. Once you get inside of industry, you have lots and lots and lots of rules. Once you get inside of the government, you have rules you can't imagine ever having to deal with in your whole life. Therefore it has made it really difficult for us in the government and industry to be more unified in their efforts to counter cybercrime in a consistent, systematized and routinized way. And the key is routinized, the ability to predict. We know this stuff is going to go on. We know this stuff is always going to go on, but we haven't come to the conclusion where we have decided, whatever "we" is going to be, how to routinize and make systematic and to automatically respond to these things and put them down quickly so that we close the window of opportunity of profit on these perpetrators.
FIELD: Over the past year or so we've seen a number of high-profile data breaches, and at the root of those really were successful phishing attempts. What are some of the trends that you're watching now that most concern you when it comes to phishing?
CASSIDY: The data breaches get the newspaper. The things that really concern me however are the data breaches and attacks that never ever get to show up in the newspaper, because I will tell you why. If department store "x" gets 15,355,625 credit card records stolen, it doesn't mean any of them are actually going to be used. The reason is there's a lot of that kind of stuff in trade on the web amongst criminal gangs. They don't have enough bandwidth to actually process it all. The thing that really concerns me is the focus on executive and key personnel phishing. Some people call it spear-phishing. I just call it focused phishing because they decide, "Okay, the northeast comptroller from that company must have at least a signature authority of five or six figures. If I can phish him and I can get access to the accounts that he has online, I should be able to cash out to at least five figures."
So rather than buy all these crappy credit card records and try to run a bunch of scams that make me maybe a thousand bucks a pop, if they work - and each one takes a lot of time to cash out - [then] I ought to concentrate on this guy. He's an interesting guy. He was at an accounting conference on a panel and he was surrounded by four other people. Now that's interesting. Maybe I will send him a nice e-mail from one of the panelists with my slide set because all of the slides are right here for me on the conference website. And maybe I will get into a nice conversation back and forth about his presentation, and it's all very nice. I get enough information from him to figure out a way to get inside his network and get enough information from him to figure out a way to spoof the bank and rob from the company's accounts.
Do you see what I'm getting at? Instead of trying to infect my computer or phish me and you, they infect that guy's computer. The set of PowerPoint slides that they sent infected the computer. They had a nice conversation with him; they got some information from him that would be helpful in a log-on once they found out what bank the company used. So that kind of spear-phishing is the thing that really scares me because that's the kind of thing that could be very damaging to a company in a lot of dimensions and damage a lot of people, employees and the enterprise itself in ways that could be resonant through an economy or a region or a large company.
FIELD: And really that's exactly what we're seeing, much more spear-phishing, correct?
CASSIDY: Yeah, it's become an industry; it's become a discipline all its own. And again, it's rational. It makes a lot of sense. The phishers send out 100,000 emails. They get Tom and Pete. Oh great, look. We got these guys and their checking account is empty. They don't get anything, so it's rational for them to go after large companies. It's rational for them to go after any companies at all. One of the first successful spear-phishing enterprises we saw was against a Chamber of Commerce in Kentucky and they didn't even go after the chief officer. They went after a bookkeeper and it was just astounding and the bookkeeper had substantial signature authority. This was like 2004, 2005. So that's the thing that really keeps us up at night, because conventional phishing you see a lot and you can do a lot and you can respond in a more routine way; spear-phishing is diabolical. It's at the hands of the twisted imagination of the attacker.
Advice to Organizations
FIELD: What advice do you give to organizations that really want to improve their employee and their customer resistance to these sophisticated phishing attempts?
CASSIDY: First, you should really look at what you're asking your customers to do in asking how they're responding. If you're an enterprise that has a marketing department that's constantly pumping out e-mails with links on them and engaging people in banter about lots and lots of different opportunities and stuff like that and there are customers that actually have to engage things like an online account or an online ordering system, you might want to actually get the marketing people in sync with the security people, because sometimes they're apart. Sometimes the security people want to coordinate things better so that they're certain the enterprise is not acclimating these people to be phished.
Coordinate IT security with the marketing element a little bit. Marketing's not going to go away, but it would make the security guys feel better if they knew that they were included in the conversations about all those outbound communications, and you should actively teach your customers that this is the way we will communicate with you and these are the things that we'll ask, and these are the things that you will never be asked. And this is the reason the IT has got to be sort of coordinated with the marketing people, because they're the communications arm of the enterprise to a certain extent.
The enterprise itself can plan its own strategy. We don't need to ask them all this stuff; we never will. We should tell them explicitly why so they internalize that advice, and if you have bandwidth and you have resources, try to generically or generally teach principles to your customers that you think will be of enduring value.
We have an organization we developed with a group in Washington, the NCSA [National Cyber Security Alliance], called the STOP. THINK. CONNECT. messaging convention. We distilled through a lot of research our slogan, which is "STOP. THINK. CONNECT" and it still works well for any enterprise. If you teach your customers one thing, teach them to slow down. Teach them to stop. Try to give them some general principles to go by. Nothing so exciting or important that you need to do it immediately, and, in fact, if you're being told that you have to do something immediately, you might want to stop and think about it for a good long time because that's exactly the kind of thing that the bad guys work on, getting you not to stop and getting you to stop thinking and getting you to respond. I think there's some stuff you need to do internally even before you have that conversation with your own customers. But once you get that right, over time it matters, overtime in the aggregate it does matter.