Out of the Office. Gone Phishing!

As follow up to last month's issue of TPAtlanta that focused on fraud, we want to alert our readers to some other sinister scenarios plaguing certain facets of the transaction processing industry.

Been phishing lately? Perhaps you have already heard of phishing -- hopefully, you have not been a victim! Phishing is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the recipient into surrendering private information that can be used for identity theft. Phishing, also referred to as brand spoofing or carding, is a variation on the word "fishing," with the idea being that bait is thrown out in the hopes that someone will be tempted into biting. Typically, an e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security and bank account numbers, which the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information.

For example, eBay users have received e-mails supposedly from the company claiming that the user's account was about to be suspended unless they provided updated credit card information. By simply mimicking the HTML code, it is relatively easy to make a Web site look like a legitimate organization's site. This particular scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who actually had legitimately listed credit card numbers with eBay.

In the transaction processing industry, banks and credit card companies are particularly attractive targets for phishing expeditions due to the sheer volume of sensitive information they keep. Fortunately, banks are starting to pay attention to these phishing scams and are searching for cost effective means to protect their online customers from such attacks.

Bank of America recently rolled out a service called "Site Key," where a customer picks a symbol, icon or photo that is unique and that is then is paired with their online user ID and password. If this image appears when the customer logs on to Bank of America, the user then knows that he is at a legitimate Bank of America site.

Even if phishers could capture the user's unique image, the Bank of America Site Key service tracks what computer a banking customer is accessing the account from and uses challenge-response questions to weed out fraudsters.

Scam artists who target online banking customers are adapting their techniques to try to defeat a range of sophisticated new security features designed to thwart phishing attacks, according to experts.

In recent months, companies that monitor phishing attacks have noticed an increase in malicious programs that record computer screen activity. The rise in so-called 'screen-scraping' may be an attempt to counter new electronic banking programs that use a combination of mouse clicks and keyed entries to give customers access to their online accounts.

While screen-scraping attacks are currently rare, experts agree that they are becoming more common and are even becoming a standard feature in malicious programs that can be custom-ordered online. Many IT security experts believe that the new anti-phishing features in the soon-to-be-released Internet Explorer Version 7 and its widespread use will make a real dent in phishing.

Websense Inc., a Web security software company, has seen an increase in screen-scraping programs in the last six months, especially in Brazil and other South American countries, according to Dan Hubbard, senior director of security and technology research at Websense, in San Diego. The Trojan horse programs wait until the user of an infected machine visits an online banking site and then capture mouse interactions with the site, allowing the criminals controlling the Trojan to spy on interactions with on-screen keyboards that are designed to foil key logging software.

The new attacks come as more banks are deploying technology that combines mouse clicks with keyed information such as user names and passwords.

Malicious programs such as the Dumaru family of Trojans have had screen-capture capability for years. What has changed is the ability of the programs to sift through meaningless screen interactions and capture only those exchanges that reveal sensitive log-in information, said Hubbard.

"We've seen a server that has in the neighborhood of 1,200 accounts [screen captures] uploaded for a single bank. Of all the images captured, most only captured keystrokes when the banking site was accessed," Hubbard said. "Websense discovers a new Trojan program that can do screen captures about every two weeks," he added.

The Anti-Phishing Working Group (APWG) identified 170 new pieces of key logging software, which it terms "crime ware," in recent weeks. Only one or two percent of those programs have screen-capture features, said Dan Jevans, chairman of the APWG. This can be down right scary stuff!

So, is phishing a problem at your company? How about with customers using your products? Are there any anti-phishing solutions that we should know about?

We at TPAtlanta invite you to write us and to tell us about your knowledge of these kinds of security solutions so that we can track and share the progress being made in the transaction processing industry.

Thank you!
Calvin D. Johnson, Publisher
publisher@tpatlanta.com
Trans Atlantic Systems, Inc.