PERSONAL FINANCE
+ Return to investing
+ US real estate
+ Post-work worries
+ More...
SMEs
+ Use your assets
+ Surviving in tough times
+ How CAs can add value
+ Entering foreign markets
+ Valuing small firms
+ Expanding the biz
+ More...
IFRS AND ISA
+ IFRS and Canadian GAAP
+ New auditing standards
+ Gauging ISA adoption
+ IFRS and audit firms
+ More...
TECHNOLOGY
+ ERP and PSA survey
+ BI/CPM survey
+ CRM survey
+ More...
WORKPLACE
+ Diversity in the profession
+ CSR is worth it
+ Health and productivity
+ Preventing fraud
+ Chronological resumes
+ Expense fraud on rise
+ Gen X, Gen Y
+ Meeting time-savers
+ Bonuses still top reward
+ More...
CA STUDENTS
+ Articling in industry
+ Destination: CA
EXPERTISE
+ Global transfer pricing
+ More...
Be gone phishing
By Richard DeBruyne and Denis Posten
Illustration: Blair Kelly
Just when you think you’re too smart to get taken by net fraud, the next great generation of attacks is on its way
The incidence of Internet-based fraud is not new but it is rising at an ever-increasing rate. One such scam plaguing the world of e-business and technology is phishing. Despite its cute name, it is a mean-spirited racket perpetrated by international rings of organized criminals and is a multibillion-dollar crime that continues to grow despite awareness and attempts to stop it.
It is a type of e-mail that looks like it is from a legitimate supplier, asking the user to update personal and financial information. In fact it is an attempt to get someone’s personal information that can then be used to access a bank account, credit cards or impersonate that person for other purposes.
It is easy to think the people caught up in these nets must be a bit short of a full deck. Would anyone honestly believe he or she has won a South African lottery or inherited millions from a long-lost or unknown relative? Who in their right mind would click on those spelling- error-filled links and follow up by providing bank account numbers, credit card numbers, pin numbers and personal information these scams are asking for? But phishing attacks are still arriving by e-mail, in many varieties.
Although phishing has been around for more than a decade, today it is more complicated. Criminals have taken it to the next level by using advanced technology. Their goal is to circumvent the mistrust of online activity by aligning scams to our high standards and expectations.
Attractive phish
If you think you can spot a fake website, you’re deluding yourself. Fake websites have become technically proficient and ascetically correct. It may be virtually impossible for you to distinguish a real site from a fake one. Sophisticated software tools, such as the Rock Phish Kit, allow criminals to exactly duplicate the look and feel of legitimate websites with very little effort.
A few tweaks to the original code provide a site that has every function of the original and can even pass through to the original site. That way, when you want to look up the branch locations for your bank, the information is there. However, a few key functions of the fake site will have been altered to capture someone’s financial information and ship it off to the criminal to compromise.
Don’t get hooked
Knowing that Internet users can be wary of scams, phishers may personalize their attacks using stolen or available personal information to target their victims. This “spear phishing” provides a false sense of authenticity because the scammer knows something about the person.
Another method is to hijack trust relationships that already exist. The largest well-known search engines have experienced incidents where criminals either paid for advertising links or manipulated their ranking so they could draw people to illegitimate websites designed to steal credit card numbers and other information.
Also, legitimate websites have been compromised and have had their advertisements or other content-specific links altered. This way, a trusted site can become bad without any warning or knowing about it. Again links that have been inappropriately altered become a source of misdirection to lead a user to a fake site to capture his or her personal information.
What can you do to protect yourself? Develop a healthy mistrust of links to websites. If you are going to a site to conduct e-commerce or provide private information, always carefully enter the URL yourself or use a bookmark you have carefully created. The bottom line is that any link online should be suspect.
Phishing technicalities
Links are not the only avenue that phishers use to get you to their illicit sites. The Domain Name Service (DNS) is often the target of attackers. DNS is a facility for translating the URL you type in your browser into real Internet addresses. (When you enter www.cra-arc.gc.ca, the DNS looks up the Internet address 198.103.185.14.) If criminals are able to contaminate the DNS lookup process they can send someone to any site regardless of the URL typed in.
There are several ways for fraudsters to do this. The first is to use malware to alter someone’s computer settings. Basically it is a piece of code written to compromise someone’s computer without that person knowing it.
There are several places where a computer is potentially vulnerable to a malware attack. One is the DNS configuration of TCPIP settings. In the network settings of a PC, there is an option to specify the address of the DNS server used by the browser. Malware could insert a fake DNS server address and thus put the user at the mercy of the bad guys every time he or she uses the browser. The fake DNS server could direct someone to a fake bank site even though the correct URL was entered.
Another way to direct someone to a fake site is for malware to add specific translations to the “local host” file, which all PCs have. If an address translation appears in the local host file, it will use it and forgo the DNS lookup. If the local host file is poisoned by malware, the user could be directed to a fake site even though a specific URL was typed in.
Another form of DNS attack is commonly referred to as a “pharming” attack. It focuses on the DNS configurations of wireless networks. Criminals will “drive by” neighbourhoods looking for poorly configured wireless networks. When they find one that employs a router with no password or a default password, they simply log in and change the DNS server settings to point to another poisoned DNS server.
In such DNS poisoning examples, criminals deploy their illegitimate DNS server with address translations fixed to direct specific URLs to fake websites. In another, but rare, type of DNS attack, the fraudsters attempt to poison a legitimate DNS server by changing address translations for everyone who uses that server. Fortunately most DNS managers are aware of the risks of having their servers compromised. As a result, users will generally find a hardened security posture in place to protect them, and few incidents of their compromise.
Fight phishing
With a heightened awareness of phishing and behaviour modified to reduce the chances of getting phished, how can people thwart the technical tricks used by criminals?
First, use an up-to-date browser version that has a built-in anti-phishing capability. These products will examine the links that are presented on the Internet and attempt to warn a user if they identify anything out of the ordinary. Most of these newer browsers can look up the presented hyperlinks and compare them against extensive databases of known or suspicious phishing sites. These browsers are a valuable asset that will provide an added layer of protection.
Next, make sure your computer is up to date in its technology. Apply all known patches to your system including operating system security and integrity patches, patches for your Web browser and for any other software that interacts online or may present exploitable vulnerabilities.
The purpose of some phishing attacks is not only to gain access to confidential financial or credential information but also to push malware to someone’s machine so it could be used as a back door to information. Remote control systems, keystroke loggers and communications software for directing spam or Internet relay chat (to send your information to the bad guys) are examples of such malware. Ensure your machine is properly protected to thwart such attempts. Check reviews and purchase the best available malware protection system you can find. It should include comprehensive virus protection, spyware protection and a robust firewall. Then, keep these tools up to date and use them.
Heed error messages or warnings from these products. Many people are too quick to click OK before they understand the importance of the message. These messages can inform of potential problems such as unrecognized certificates or inappropriate links. All are significant clues that can help keep a user safe.
If you run a wireless network, change the password on your wireless router and use the strongest form of encryption you can. (Encryption protocols from weakest to strongest are WEP, WPA, WPA2. If you have older devices on your wireless network you may have to purchase new wireless adapters to use the stronger forms of encryption.)
Finally, make life a little more difficult for criminals by reporting suspected phishing attempts to agencies that monitor and help police the Internet. There are a number of reputable organizations that serve this function. One example is http://www.castlecops.com. On that site you can go to the page PIRT/Fried Phish to report the phishing site.
More to come
Phishing has become an industry on the Internet and it has advanced along with the technology and skill sets available to it. With all of the advancements in this area it would be foolish to assume that we are too smart to be caught in the net. The next generations of these attacks (Phishing 2.0) are appearing online and they represent an entirely new set of problems. Beware.
Richard DeBruyne, CISA, CISM, ISP, is senior manager with Grant Thornton LLP in Calgary.
Denis Posten, CA•IT, is partner with Grant Thornton LLP in Calgary
Technical editor: Yves Godbout, CA•IT, CA•CISA, director of IT services, Office of the Auditor General of Canada
