Don't give away your brand
Don't give away your brand

With phishing attacks on the rise, banks must take more precautions, argues Ian Castle.

Recent research by APACS, the association representing the UK's bank payments industry, has confirmed what we in IT security already know: phishing attacks are increasing at a dramatic rate. However, its research also reports that online banking fraud in the UK increased to £22.5 million in the six months ending in June 2006 – a 55 per cent year-on-year rise.

Phishing attacks aim to obtain a victim's personal details, from bank account information, user names and passwords to key personal data such as mothers' maiden name. As well as an increase in volume, the sophistication of phishing attacks is also growing, along with the number of organisations (banks, online payment systems etc) being targeted.

What makes phishing of particular interest is that, although the countermeasures are often technical, the attack itself is directed at an individual rather than a device. That makes managing the risk much harder.

Once a user has clicked on the link, they are taken to a website that replicates the actual site – often keeping the same security warnings as the original. The details entered, together with the IP of the user's machine, are then emailed to an account at one of the free email hosting companies, where they can be retrieved by the attacker.

Countermeasures often focus on the most obvious point of the attack: the email itself. There is a wide range of anti-phishing systems for email clients, servers, gateways and, of course, web browsers.

As a phishing email is a social engineering attack, much more can be done to reduce its impact. Target organisations need to take care when communicating with their customer base. It would be encouraging to see marketing departments working with information security when designing campaigns. We've probably all received an email from our bank, from an odd address, asking for a market research survey to be filled in. This is conditioning people to respond to requests for information from an address and website that have no obvious relation to the bank itself. A particularly bad example is one well-known online bank that sends out an email every time a customer's statement is ready – with a link to click on. We've recently observed phishing emails exactly duplicating this legitimate email. People pay little attention to the common and expected, so this attack has a good chance of success.

Another element used by the attacker is the fake website. These fall into three main categories. The first is websites hosted by phishing- friendly ISPs – often located in China or Korea. These sites use the same IP address over and over again, each time with a different domain name. For each attack, a new domain name is registered with a wildcard DNS entry, so that any name in that domain will resolve to the IP address; for example, The most promising place to stop this is at the domain registrar.

The second category is websites hosted on a home PC, compromised through a Trojan delivered by email or downloaded from a website.

The third is compromised sites. Whether through flaws in the site design, hosted sites with well-known or guessable administration password or vulnerabilties in common items of middleware, an attacker is able to upload their phishing site.

Phishing emails commonly use signatures and/or logos to make their attacks more effective. Unfortunately, the web provides a readily available source for both. A simple search on Google such as inurl:signature.gif filetype:gif will find hundreds of example signatures. Any organisation vulnerable to phishing attacks should police the use of their logos. You can employ the same techniques the attackers use to locate these resources and then take appropriate action.

All those involved in website design or security reviews, should consider appropriate use of third-party images. This may include checking access logs, looking for items with a high hit rate, or simply renaming images so that they cannot be readily found in a Google search.