The Fraud Blog with Tracy Kitten

A New Angle on Phishing

Banking, Security Groups Launch Anti-Fraud Initiative
A New Angle on Phishing

This past December, researchers at security firm GFI Software discovered targeted phishing attacks aimed at accountholders at Chase Bank and Barclays.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Just weeks earlier, the Federal Bureau of Investigation issued a warning about a new Zeus malware attack targeting commercial bank accounts, ultimately leading to incidents of corporate account takeover. The Zeus variant used is called Gameover, which defeats several forms of dual-factor authentication and is delivered via phishing attacks. [See FBI Warns of New Fraud Scam.]

These are just two of the most recent examples of phishing attacks against consumer and commercial banking customers. How bad is the phishing landscape? According to the Anti-Phishing Working Group's Phishing Activity Trends Report, which reviews the first six months of 2011, banks and other players in financial services continue to be the organizations most often targeted by phishing schemes. Nearly half of all phishing attacks waged during the first half of 2011 targeted the financial sector. Another 26 percent targeted payment services.

Spear phishing, or targeted phishing schemes, are the industry's most concerning phishing trend, the APWG says. "These are hyper-focused, often personalized phishing attacks directed against specific company executives, IT personnel and management personnel with corporate treasury authority and/or access to company online bank accounts," the APWG report states. "These e-mails tend to evade spam filters, unlike the broad-based consumer phishing e-mail campaigns. The spear-phishing e-mails either contain an attachment that can infect the recipient's computer with sophisticated financial malware, or contain a link to a website that can infect the recipient's computer with financial malware and Trojans."

A New Approach

We can't stop the phishing attempts. Executives at BITS and FS-ISAC have accepted that fact. And now they're trying a new approach.

BITS, the technology policy division of The Financial Services Roundtable, and the Financial Services Information Sharing and Analysis Center have announced the launch of the Trusted Email Registry. The registry collects information about e-mail traffic from Internet service providers and then offers domain-specific reports about trusted and non-trusted international domains financial institutions can review.

The service aims to provide banks and credit unions with standardized reporting that's easy to understand.

Andrew Kennedy, who's overseeing the new e-mail service for BITS, says enhanced e-mail monitoring is the only way to address online security.

"BITS has been working on e-mail security and e-mail authentication for years," Kennedy says. "One of the biggest drivers from our end has been the phishing attacks that have become more sophisticated over the last few years."

The Root of Phishing

These two organizations are working to take online security in the banking space to the next level. Rather than focusing on the impossible task of how to stop phishing, they've instead chosen to hone in on getting to the root of phishing.

By having banks track phishing attacks back to their hosts, BITS and FS-ISAC are asking institutions to look beyond simple blocking.

The registry approach will have to prove itself over time - granted. But it represents a revolutionary approach, at least for the financial industry.

Phishing is a serious issue for banks, credit unions and their customers. It's time for the industry to tackle it seriously.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.