Phishers Try New TacticsMarch 8, 2008 – 5:58 PM
Phishing is hooking more victims as the e-mail fraud attacks become more sophisticated and prevalent.
According to market researchers at Gartner, the number of phishing e-mail recipients has grown 28 percent in 2005. Because fraudulent e-mails negatively impact consumer confidence, the research firm’s recent study predicts phishing and other security breaches will inhibit three-year U.S. e-commerce growth rates by 1 percent to 3 percent.
Evidence of the growing cunning of the attacks came Friday from threat protection vendor SurfControl, which said it discovered a new “Secured Phishing” technique capable of displaying the trusted padlock security icon on a fake site.
SurfControl rated the new phishing method as high risk because the padlock icon displayed at the bottom corner of a browser is a widely accepted symbol of a safe and secure Web site.
The “Secured Phishing” method uses self-signed digital certificates to use the HTTPS security protocol, which triggers the padlock icon, on spoofed Web sites. Typically, Secure Sockets Layer digital certificates are issued by a certificate authority. Windows generates a warning when it encounters a self-signed certificate, but many Web users don’t understand the warning or ignore it, according to SurfControl officials.
To protect against the new phishing method, individuals visiting financial sites that ask for personal information should look for a valid SSL certificate issued by a Trusted Certificate Authority. These sites will not prompt an alert dialog box, according to SurfControl.
Stepping up the technology fight against phishers, e-mail security company Iconix this week rolled out visual e-mail identification software to help Web users identify trusted e-mail senders. The company also introduced the Iconix Truemark service, which allows businesses to mark their e-mail messages as secure.
To combat phishing, technology solutions need to go beyond authentication, said Lance Tokuda, chief technology officer and vice president of engineering at Iconix.
For example, “Yahoo Mail already does domain key authentication, but you can’t tell what’s authenticated,” he said.
Iconix displays a businesses’ real logo on an e-mail message, which provides consumers with a visual indication of a legitimate e-mail.
“For Iconix to display an icon next to a message, the sender’s logo has to be a registered trademark,” Tokuda said. “This is not something that phishers can spoof.”
In particular, the mapping between the e-mail address and the logo is not spoofable, he said.
“If you are not a real business the identity call will fail,” said Jeff Wilbur, vice president of marketing for Iconix.
Iconix technology supports both the Domain Keys and SenderID authentication standards.
The Iconix e-mail ID software will be available for many popular e-mail formats. It now supports Yahoo Mail and Microsoft Internet Explorer. In coming weeks and months support for Hotmail, Outlook and Outlook Express will be added. Support for Firefox, Gmail, Comcast, Earthlink, and AOL is also planned.