In-Depth

Combating Phish: Education is Still Key

Technology isn’t the only answer to tackling this "tricky" vulnerability

• By Chris DeVoney
• 09/18/2007

For several weeks, this column has covered organized cybercrime and particularly phishing. There is still much more to be said because phishing represents one of the largest IT security risks to individuals, enterprises, institutions, and government agencies.

Phishing gets everyone. The immediate victim is the individual whose identity and funds are stolen. Another victim is the owner of the computer which becomes boggy and unresponsive as the device spews spam or runs a malicious website. The defrauded merchant, financial institution, or agency responsible for making good on the transactions are other victims. You might also chalk up the rest of us as victims who wade through flotsam in our e-mail boxes every day.

The Anti-Phishing Working Group is a global nonprofit of industry and law-enforcement interests. Peter Cassidy, the group’s Secretary General, highlighted the current trends from one of the groups’ rolling reports available at its Web site.

The reported figures for the targeted industry sectors were most surprising:

• ISPs: 0.7%
• Retail: 1.4%
• Government and Miscellaneous:2.7%
• Financial Services: 5.2%

As the old saw says: thieves go where the money is. I vaguely remember the first few phish I saw—all concerned large banks. I recall then seeing an obvious undirected phishing attempt disguised as a SunTrust Bank message. The nearest branch to my home was an eight-state, 29-hour non-stop drive at interstate speeds. That message demonstrated that felons can be profitable with a minuscule response rate when you send millions of e-mails at virtually no cost.

Cassidy reports the mix in that financial sector is changing with more brokerage and mutual fund names entering onto the stage. Part of the change may be because the public is more alert to phish associated with banks but less wary of threats using other financial institutions. Also, our increasingly older workforce puts more money into less-guarded investment and mutual fund accounts than in bank or credit card accounts.

The change represents a threat to consumers but is a thorn in the side of business. Although any loss is usually absorbed by businesses, consumers legally have limited exposure for credit card and bank account fraud. The same protection doesn’t extend to brokerage or mutual fund accounts. These financial institutions, if exercising due diligence, have no legal obligation to reimburse customers for loss. A loss of such magnitude, , several thousand on a credit card versus potentially hundreds of thousands for brokerage/funds accounts, can devastate both consumers and businesses.

Another shocking reminder is that the United States is the number one host country for Web sites used in phishing attacks (38 percent) and destinations to which illicit keystroke loggers report (48.2 report). In many cases, those are sites co-opted by outsiders through security loopholes and the felons calling the shots are not necessarily within the United States.

For phishing Web sites, the next four notable countries are the Republic of Korea (10 percent), Poland (6.88 percent), Russia (6.55 percent), and Bangladesh (4.03 percent). For sites where phish-installed keystroke loggers report, China (12.73 percent), Russia (12.19 percent), Italy (9.52 percent), and Brazil (4.6 percent) are the next four countries in line. The rest of the top ten are available at the APWG Web site.

The entire list almost makes a strange kind of sense. One needs a large, powerful infrastructure and/or locations where law enforcement can’t keep up with the flow.

Lorrie Cranor, director of Carnegie Mellon University’s Center for User Security and Privacy Labs (CUPS), is extensively involved in examining "trust decisions," whether to open an e-mail or follow a link. Although trust decisions are mainly a consumer issue, it affects customers, businesses, and their employees who are also consumers.

Her opinion of current anti-phishing technology solutions is not very high. Last year the labs ran tests of several competitors's proposed solutions and felt none was adequate. The top automated filtering solutions screened out about 80 percent of the phish and the worst performers were in the teens. Obviously, 80 percent isn’t good enough.

Technology, however, cannot be the only solution. Cranor states, "We’re looking at the various [anti-phish] approaches and it’s an arm’s race. It is unlikely the technology is ever going to achieve a 100 percent perfect solution. So a hybrid approach where the technology removes as much phish as possible seems likely, but the population must be educated so they are less likely to fall for the remainder."

That leaves user education. Cranor acknowledges that no one wants to invest even five minutes learning computer security. In a study, she found that people responding to a set of e-mails ignored an e-mailed anti-phishing warning given before or during the session. However, when a "fake" phishing message directed users to a cartoon instructing them how to avoid phish, the rate of being tricked by the phishing message dropped over 90 percent. An effort is underway in the lab to make that finding something usable by corporations and institutions.

One of the tools also developed by CUPS is Anti-Phishing Phil, a game that teaches people how to avoid phishing. You can play the game at http://cups.cs.cmu.edu/antiphishing_phil/quiz/index.html. Cranor reports that every few weeks she gets a call from big companies and government agencies wanting to use the game for its employees.

We both agree that, like driver’s education, computer security education needs to be mandatory in high school, and we even speculated that it should be part of the curriculum as early as fifth grade. For now, corporations need to change their mindsets and educate their consumers and employees.

On October 3 and 4 in Pittsburg, the APWG’s second eCrime Researchers Summit will assemble academic researchers, security practioners, and law enforcement officials tackling phish and similar subjects. I hope those bright minds produce some good news. Given the upswing in phishing attacks, we all need it—business and consumers alike.