Phishing

Transcription

Phishing
I nuovi fenomeni di frodi online e phishing:
strategie e best practices di sicurezza
Luigi Brusamolino, CISM, LA BS7799
Symantec
Milano, 28 Gennaio 2005
AGENDA
ƒ Alcuni dati generali (ISTR)
ƒ I nuovi fenomeni di frodi online: ‘phishing’
ƒ Caratteristiche del ‘phishing’
ƒ I settori più colpiti
ƒ Una strategia di protezione
ƒ Il valore della conoscenza
ƒ Il ruolo delle associazioni
SEMINARIO AIEA
Symantec Security Services
ƒ Largest Information Security Company
ƒ Technology-neutral security consulting arm of the world’s leading Internet
security company
ƒ Delivering security consulting services to corporate, government and
educational institutions
ƒ 5 SOC worldwide (BS7799-2 and SAS 70 type II certification)
ƒ More than 1500 security specialists, analysts and consultants (CISM,
CISSP, LA BS7799) in Symantec Global Services and Support (GSS)
– Support, Symantec Response Lab, MSS, DeepSight, Brightmail BLOCs,
Security Consultants
ƒ ‘Pure security consultancy company’ acquisition (@stake, Lyric)
ƒ Member of ISF (Information Security Forum)
SEMINARIO AIEA
Symantec Internet Security Threat Report
ƒ
The Symantec Internet Security Threat Report, compiled
every six months by Symantec analysts, is the most
comprehensive analysis of current Internet security trends.
ƒ Based on one of the world’s largest sources of security
data.
– 700+ Symantec Managed Security Services customers
– 20,000 sensors worldwide monitoring network activity in 180
countries
– 120 million client, server, and gateway antivirus systems
– 10,000-entry vulnerability database
– Provides a comprehensive view of what the state of
Internet security looks like today.
SEMINARIO AIEA
Symantec Intelligence network
Symantec Response Labs
Symantec Monitored Countries
Symantec Security Operations Centers
Over 25,000 DeepSight Data Partners, from over 180 Countries
Calgary,
Canada
American Fork, UT
San Francisco
Tokyo, Japan
Taipei
Redwood City,
CA
Santa Monica,
CA
San Antonio,
TX
Sydney, Australia
SEMINARIO AIEA
Dublin, Ireland
Waltham, MA
Alexandria,
VA
Newport
News, VA
London,
England
Berlin,
Germany
Brightmail Logistic Op. Ctr.
Attack Trend Highlights
ƒ
18
15.3
13
12
10.6
6
On average, organizations received 11
attacks per day, continuing a decrease
that was observed over the two previous
reporting periods. This represents a 15%
decrease from the average between June
30 and Dec. 31, 2003, and a 27% drop
from the Jan. 1-June 30, 2003 reporting
period.
0
Jan-June 2003 (ISTR IV)
July-Dec 2003 (ISTR V)
Jan-June 2004 (ISTR VI)
Period (ISTR version)
ƒ
18%
16%
12%
10%
6%
6%
4%
4%
4%
3%
2%
0%
ECommerce
Small
Business
Nonprofit
HighTech
Business
Services
Financial
Services
Industry
SEMINARIO AIEA
Media/Ent.
Telco
2%
Healthcare
2%
Education
E-commerce was the most highly
targeted industry. Almost 16% of
attackers attacking e-commerce
organizations were considered targeted
attackers. This is up dramatically from
the last six months of 2003, during which
only 4% of attackers against ecommerce were considered targeted.
Vulnerability Trend Highlights
ƒ
Total documented vulnerabilities
1,600
1,472
1,283
1,305
1,177
1,200
1,237
the previous six-month reporting period.
776
800
Symantec documented 1,237 new
vulnerabilities from January 1 - June 30,
2004. This is a 5% increase over the
1,177 new vulnerabilities published during
680
ƒ
On average, there are 48 new
vulnerabilities per week or 7 per day.
400
0
Jan-June 2001
July-Dec 2001
Jan-June 2002
July-Dec 2002
Jan-June 2003
July-Dec 2003
Jan-June 2004
10
The average time between the public
disclosure of a vulnerability and the
release of an associated exploit is 5.8
days. During the previous reporting
period, the average was 7 days.
ƒ
This indicates that exploit writers are
becoming increasingly sophisticated.
They are writing better exploit code
faster, while at the same time requiring
fewer publicly available vulnerability
details to develop exploit code.
7.8
8
6.5
6.2
6
4
ƒ
5.5
5.1
4.0
2
0
January
February
March
April
2004
SEMINARIO AIEA
May
June
Spam statistics
Fonte: Symantec 2004
SEMINARIO AIEA
‘Phishing’ definition
Phishing is a form of online identity theft that uses spoofed
emails designed to lure recipients to fraudulent websites
which attempt to trick them into divulging personal financial
data such as credit card numbers, account username and
passwords, social security numbers, etc.
By hijacking the trusted brands of well-known banks, online
retailers and credit card companies, phishers are able to
convince up to 5% of recipients to respond to them.
The term “phishing” was coined as a phonetic synonym in
hacker jargon for a crime that lures people as they “fish” for
sensitive personal data.
SEMINARIO AIEA
What is email fraud?
Deceptive email designed to defraud the recipient
Email Fraud
Spam
Tactic
Spoofing
Brand Spoofing
Phishing
Deceptive headers
Yes
Yes
Yes
Deceptive body content
No
Yes
Yes
Request personal
information: PIN, SSN,
credit card, etc.
No
No
Yes
Examples
SEMINARIO AIEA
Looks like it comes
from “Big Bank,” but
then tries to sell
herbal Viagra
Looks like it comes
from “Big Bank,” and
then tries to sell “Big
Bank” loans
Looks like it comes
from “Big Bank,” and
then asks you to verify
your account number
and SSN#.
Why phishing works
ƒ Phishing is easy to commit.
– Spam is economical to send.
– Anyone can build a look-alike web site.
ƒ Fraud is more sophisticated.
– Recipients don’t always look at URLs—plus, they can be obscured.
– People are now suspicious of attachments, but not URLs.
– Online fraud is getting more sophisticated, so even “expert” users get
fooled.
ƒ Email is not secure.
– Doesn’t validate the purported sender
ƒ Business has not adapted quickly enough.
– Email addresses and URLs lack consistency.
– Customers are insufficiently educated.
SEMINARIO AIEA
Strong negative impact on brand
ƒ Fundamentally affecting
customer
trust (57million
email
ƒ Fundamentally
affecting
with phishing
customerattack)
trust (57million
–Threatens
future of online
phished)
channel
– Threatens future of
online
channel
–Negatively
impacts
brand
– money
Negatively
impacts
–Fuels
laundering
brand
– Fuels money
laundering
APWG – Report january 21th
eBay
Citibank
PayPal
Fleet Bank
Barclays
AOL
Westpac
Visa
Bank One
EarthLink
SEMINARIO AIEA
ANZ
HSBC
Lloyds
US Bank
Yahoo
AT&T
Chase
E-Gold
Australia has been the early attack
ƒ Skyrocketing
customer
point
since the first Phsihing
attack
costs2003.
was support
seen in August
ƒ Undisclosed fraud losses
ƒ Jeopardizing future
growth
Financial Inst. and e-commerce sites under attack
ƒ Financial services is the most
targeted industry sector for
phishing attacks
–
–
–
Highest number of attacks
Most companies affected
One bank saw attacks
surge by 170% in May
ƒ “More than 50% of all hack
attacks last year were
initiated in the financial
sector.”
Phishing Attacks by Industry Segment
1400
1200
Misc
ISP
1000
41
228
Retail
800
22
24
33
294
Fin Svcs
600
12
400
200
0
17
1
59
70
Jan-04
45
107
135
Feb-04
23
111
23
832
848
Apr-04
May-04
256
Mar-04
— Rep. Mac Thornberry,
Chairman of the Select
Homeland Security
Committee’s Cybersecurity
Subcommittee, 26 July
2004
Source: Anti-Phishing Workgroup Report, January 2005
SEMINARIO AIEA
The actual scale of e-mail Phishing
ƒEmail Phishing attack involves the distribution of many millions of e-mails
at random
ƒOnly about 1 in 1000 of these e-mails will reach a customer of the targeted
organization
ƒ 15%of customers who actually receive emails click on the link and go to
the spoof web site and about 4% will lose money.
ƒThe average loss per single phishing attack is 1.200$, but total loss
estimated (2004) is 1.2$ billion
The effects of phishing:
ƒ Business impact on brand
ƒ Customer confidence in the internet banking channel
ƒ Regulatory compliance
SEMINARIO AIEA
Anatomy of a phishing attack
SEMINARIO AIEA
Source: Gartner First Take, May 4, 2004
Anatomy of a phishing attack
SEMINARIO AIEA
Source: Gartner First Take, May 4, 2004
Anatomy of a phishing attack
SEMINARIO AIEA
Source: Gartner First Take, May 4, 2004
Anatomy of a phishing attack
SEMINARIO AIEA
Source: Gartner First Take, May 4, 2004
Anatomy of a phishing attack
SEMINARIO AIEA
Source: Gartner First Take, May 4, 2004
Recent Phishing attacks
•19-01-05 - TCF Bank - 'TCF express checking card alert'
•14-01-05 - Paypal - 'New email address added to your account'
•12-01-05 - Citizens Bank - 'Important Online Banking Alert'
•11-01-05 - eBay - 'Account Verification'
•10-01-05 - AOL - 'You've Got (2) Pictures@AOL.com'
•07-01-05 - KeyBank - 'Keybank Internet Banking Account
Suspension Notice!'
•23-12-04 - AOL - 'Verify your account'
•22-12-04 - U.S. Bank - 'Customer Service'
•21-12-04 - VISA - 'Notice from VISA'
SEMINARIO AIEA
Take a proactive approach to minimize risk
Gets as far
upstream of the
problem as possible
Addresses many
aspects of the
problem
Protects your
enterprise and your
consumer
SEMINARIO AIEA
ƒ Enables you to be more proactive so
you can anticipate and prevent
problems at all levels
ƒ Reduces cost and complexity of online
fraud management
ƒ Prevention is always better than
reaction
ƒ Educates customers
ƒ Assesses their defenses
ƒ Protects their desktops
Symantec Anti-phishing methodology
SYMANTEC ANTI-PHISHING PROGRAM METHODOLOGY
1
2
Phishing Analysis &
Business Impact
Strategy &
Options Development
1a) Tassonomia e descrizione del fenomeno
1b) Threat/Vulnerability Model
1c) Business Impact Analysisì
3
4
Countermeasures
Implementation
Dynamic Monitoring &
Evaluation
4a) Risk Monitoring/ Security Dashboard
4b) Key Performance Indicators
4c) Anti-phishing Improvement
2a) Inventory di solution-set disponibili
3a) Proactive solutions
2b) Strategie e iniziative organizzative
3b) Security Awareness Program
2c) Iniziative nel settore e istituzionali
3c) Incident detection & response
2d) Piano strategico
3d) Cooperation (industry, organizations)
SEMINARIO AIEA
Prevention
ƒ Blocks the majority of fraudulent emails at the ISP
ƒ Utilize third-party service for fraud and phishing detection
ƒ Real time monitoring (24x7) of your security infrastructure
ƒ Ensuring your company owns all the different permutation of
domain name (e.g www.bnacaxx.it)
ƒ Customers can’t be phished if they don’t get the email
ƒ Early warning and alerts of fraudulent attacks allow
you to:
– Begin internal incident response process
– Shut down the site/IP addresses
– Collect evidence for prosecution
SEMINARIO AIEA
Effective action in preventing phishing attacks
ƒ Improve authentication mechanism
ƒ Early warning of threats and vulnerabilities
ƒ Proactive and real-time monitoring (24x7) – MSS
ƒ Online operations Risk assessment
ƒ Develop Incident response process
ƒ Email filtering (anti-spam/anti-phishing solutions)
ƒ Web Application assessment / Web security
ƒ Implement mechanism for reporting phishing incident
ƒ Notify law enforcement
SEMINARIO AIEA
User Awareness and Education
Be proactive with customer education and protection
ƒ Educational content and assessment
tools
– Custom content about financial services
security
– Expert advice
ƒ Help customers protect their PC
– Offer online purchase of security products
– Provide real time security alerts
SEMINARIO AIEA
Customer and Education awareness
SEMINARIO AIEA
Prevention at the ISP
SEMINARIO AIEA
Prevention at the ISP
SEMINARIO AIEA
Catching the fraudsters
SEMINARIO AIEA
Consumer education and protection
SEMINARIO AIEA
Consumer education and protection
SEMINARIO AIEA
Prevention and protection
SEMINARIO AIEA
Organizations and Working group
SEMINARIO AIEA
Conclusion
• Phishing
has a strong technology basis and is dynamic in nature.
• Sophistication of attack is growing (Trojan-based attacks is the trend)
•Phishing is an attack on customer trust in the brand.
•Enforcement is extremely difficult.
• Awareness and ‘end users security’ is fundamental
No single solution is possible and industry, association and
government coordination is essential !
SEMINARIO AIEA
Per ulteriori informazioni
luigi_brusamolino@symantec.com
Tel. +39 335 8341019