Phishing -- Can it happen at your institution?
Phishing -- Itâ€™s not a matter of if it will occur at your institution -- expect phishing to happen at your institution. Phishers are not dumb. They head toward where the money is â€“ in the customer accounts at banks and credit unions.
So what does a typical attack look like? First, they swoop in, throw up an attack against the bankâ€™s online site with a botnet to force it off line, (a Distributed Denial of Service attack is one method used) and then they send out the phishing lines to thousands of unsuspecting internet users, most of whom arenâ€™t even customers at the bank. The average phishing web site is only up a matter of days, netting the phishers the money they then transfer out of bank accounts here at U.S. banks into overseas accounts. By the time law enforcement catches up to the overseas accounts, theyâ€™re long gone, with only a trail of IP addresses to follow.
Can it happen to your institution? And more importantly, what are you prepared to do if it does? Ask Alan Smith, heâ€™ll tell you that he thought his bank was prepared, but found out to the contrary. Bank Information Security Officer Alan Smith (not his real name) was interviewed by Bank InfoSecurity.com on two recent phishing attacks that his bank on the West Coast suffered last year. â€œIt was like watching a train wreck in slow motion,â€ Alan Smith said of the phishing attacks that occurred over a three month period. â€œThere was very little we could do about how they attacked us,â€ he said. His bankâ€™s website is hosted by an outside service, whose other customers were also thrown out of service over a five day period.
After the attacks, Smith was determined to find out if other banks faced the same threat. So he began calling other banks in his area. The other banks Smith talked to after the attack happened to his bank had â€œsuch an air of arrogance. They donâ€™t believe it will happen to them.â€ Smith explained he now knows much differently. â€œIf a fraudster is setting your bank up for a phishing attack there isnâ€™t a whole lot you can do to prevent them from attacking you.â€ In the case of the attack against Smithâ€™s bank, which has more than 10 branches, the phishers sent out mass emails after the bankâ€™s website was taken offline by the DDOS.
Smithâ€™s bank had been taking all the right action, they have a team of speakers who routinely speak to local groups on safe banking practices. The bank provides information about information security best practices in its quarterly information security awareness newsletter sent to customers. â€œWe were doing everything we could to inform our customers about safe banking and information security awareness issues. The regulators were happy with what we were doing.â€ But as Smith lamented, â€œIt was all pretty fruitless, because the phishers are attacking a business built on trust. It only takes 4 or 5 customers who receive a phishing email to respond to it, and there goes our trust and credibility out the window.â€
While there were no losses due to the phishing attack reported, â€œWe all know that some people donâ€™t check their bank accounts every day, so had someone responded to the phishing email, they could have been wiped out.â€
The bank experienced two separate phishing attacks over a three month period. The first was limited in the extent of effort on the attackers. The entire attack, including shutting down the website hosting the phishing site took only a few days to stop.
The second attack, which was described by one computer expert as being â€œone of the most vicious heâ€™d seen,â€ Smith said, was much more focused and aggressive. The morning began with a distributed Denial of Service attack against the bankâ€™s public website from 80-100 IP addresses. â€œThis blocked our host site, and knocked them offline. The IP address attacks kept changing addresses and the administrator of our host site, suspecting a botnet, tried to reverse the attack by â€œmirroringâ€ or pointing the attack back at the attacking IP addresses.
While this did not work to stop or even slow the attack because the IP addresses kept changing so quickly, the bankâ€™s website host service managed to move the bankâ€™s website to a new internet address and eventually shut down the fraudulent websites. Local law enforcement was called in and a report was made to the FBI. â€œThe local police wanted to know what happened, and what steps we took to stop the attack. They didnâ€™t give us much help in tracking down the perpetrators. They werenâ€™t prepared to respond to this type of electronic crime.â€ The bankâ€™s reputation in the community also took a hit when the story made the local television news. â€œI was interviewed, and although we told them that we had suffered no losses, and provided background for what steps we took to stop it, the headline was â€˜local bank hit by phishing.â€™â€
Smith has a staff of two, himself and one other security analyst dedicated to information security for the bank. The bank will soon offer two factor authentication for its online customers. One point that Smith was surprised at was the response he received during and after the phishing attack. â€œI must have received more than 100 emails during the last attack from local, national and international email addresses most of whom were helpful. Most said, â€˜FYI â€“this looks like a phishing attempt.â€™â€
Botnet: A botnet is a group of computers connected to the Internet that have been taken over by hackers (this is unknown to the computersâ€™ owners.) These â€œzombieâ€ computers are set up to forward transmissions including spam or computer viruses to other computers on the Internet.
Distributed Denial of Service (DDoS) A DDoS attack on the Internet occurs when a large number of compromised computer systems attack one target, and denies service to regular, legitimate users of the website. The DDoS attack floods incoming messages to the target system, and can forces it to shut down, thereby denying service to the system to legitimate users.