Phishing: How to Help Protect Your Customers -- Interview with Dave Jevans of the APWG
In this exclusive interview, Dave Jevans, chair of the Anti-Phishing Working Group, discusses:
David Jevans is the Chief Executive Officer of IronKey, based in Los Altos, California. David is also the Chairman and Founder of the Anti-Phishing Working Group , the leading non-profit organization dedicated to eradicating identity theft and fraud on the Internet. The APWG has over 1,500 member companies and agencies worldwide. Membership is limited to banks and other financial institutions, ISPs, law enforcement agencies and security technology vendors. David has over 10 years of business experience in the Internet security industry, and has founded two high-tech startups, been through IPO, mergers and acquisitions.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is phishing, and we are talking with David Jevans, Chairman of the Anti-Phishing Working Group. Hey, David, it's good to catch up with you again.
DAVID JEVANS: Great to talk with you, Tom.
FIELD: From what I hear, things are awfully busy in your business, so I'm curious, given this state of the economy, what is the state of phishing against banking institutions these days?
JEVANS: Well, Tom, what we are seeing is when times get tough the cyber criminal community actually gets quite a bit more active, and we are seeing that really across the board in phishing attacks, also new types of malware that gets onto your computer and starts stealing your passwords and doing all kinds of nefarious activity.
So definitely seeing an uptick in phishing attacks and malware and also increasing sophistication and lots of attempting to use some of the situations with the banks right now as a ruse to trick people into giving out their passwords.
FIELD: Well that's interesting certainly because when I see IndyMac or Wachovia news about that all of the sudden my spam filter fills up with bogus notes from these institutions, and I've got to assume that is what lots of people are seeing.
JEVANS: That's right. We are seeing it against banks, we are seeing it against customers of insurance companies that have been in the news recently. So it is definitely something the scammers are using to try to trick people when they are a little confused or concerned.
FIELD: Now are there any new wrinkles on old tricks that you are starting to see emerge?
JEVANS: Well, we are seeing a little bit more sophistication around some of the holiday scams. We've been seeing email scams coming up pretending to be from FedEx and UPS where you've got an order confirmation for something you didn't actually order online, and those either take you to phishing sites or to sites that try to install malicious software on your computer. So there has definitely been kind of some new revolution in that side of it.
The other thing is there has been increasing spear phishing going on where the bad guys get your name and maybe part of your account number and your email address and then send you very targeted emails directly to you, and people tend to fall for those when it has their full name and some information about them.
Another wrinkle that we have been seeing is the use of social networks to spread phishing and also to spread messages that get people to click on them and then install malicious software on their computer.
So imagine for example, if somebody takes over your myspace account, and then they send emails out to all of your friends coming from you, so your friends naturally click on it and that email installs some software onto their computer that steals their passwords, and then they can start sending out the email from those people, so you can get very, very violent attacks that spread through social networks very, very quickly and that can install malicious software on hundreds of computers very quickly.
FIELD: That's funny that you mention that because that almost happened to me last week when I got just such a note from, believe it or not, a security executive on Facebook, and it was exactly as you described.
JEVANS: Yeah. There have been targeted ones, and some of them are more just widespread trying to get malicious software on as many computers as possible, and some of them are more targeted where they are going after security executives that perhaps sell into financial institutions, and so they actually are trying to get malware inside a financial institution through some of the social networking or spear phishing attacks.
FIELD: Boy, scary stuff. What do you find to be some of the most effective ways for banking institutions to help their customers to fight back?
JEVANS: Well, customer education is definitely one thing, and trying to do that a little bit in advance and giving people resources on your website when they log in, having information on the log in page that is always there about 'click here to learn about security' or warning there are fake emails, and it is best to do that in advance because if you wait until you have a big phishing attack, it is really to late, and then you are actually making the problem worse by sending an email to your customers trying to educate them.
So, we definitely advocate educating them early and educating them on the web page when they log in. We also, of course, are seeing a lot more deployment of stronger authentication technologies by financial institutions. Some of them for their higher net worth customers or for their wholesale customers are deploying authentication devices, which can make phishing not impossible, but can make it very, very difficult for the bad guys.
FIELD: Now Dave, I hear banking institutions saying all the right things about phishing right now, so I get the sense that they are making an effort to educate, but for those that maybe don't see this as an immediate concern, what are some of the warning signs that your institutions customers are being phished?
JEVANS: Well there are a couple of things that you can do as a financial institution. If you get phone calls in, sometimes you'll get one or two phone calls in saying 'hey, I got what looks like a phishing email,' and make it easy for people to submit that stuff via email to you so that there is a fraud or a spoof at your bank.com address so people can send it in. So don't ignore those early warning signs where you might get one or two people complaining. What you need to do is try to get a copy of the phishing email if possible and find out what is the ruse, what is the server that they are hosting it on.
Another thing that you can do is watch your email for what we call backscatter. This is when phishers send emails to bad email addresses that they bought off a spam list. They will typically put your bank's email address as the bounce-back location, so if you are monitoring your email servers and the bounce-backs that say for example, no such address, you can start to see when the phishers are testing a phishing kit. That is typically what is happening, these low volume reports, a little bit of backscatter on your mail server, and that is usually somebody doing a test.
And if they are doing a test, they are trying to find vulnerabilities in your site, and they are trying to find--basically set up the system, set up the phishing kits and find the response rate. That is when you need to get worried, and that is when you need to get serious because that can indicate that there potentially is a major attack coming.
In our experience, once the phishing kit has been created for your financial institution, it often gets combined with other phishing kits, so one phishing site might host the phishing site for five different banks, and typically once that starts it rarely goes away. They continue until you close whatever loophole it is where they are somehow able to monetize that, so definitely pay attention early on.
FIELD: You spoke a few minutes ago about the importance of educating consumers. What have you found to be some of the most effective ways to educate them?
JEVANS: Well, unfortunately educating the consumer is going to be a never ending task, and you will never educate more than about half of them. But effective ways are definitely, as we mentioned earlier, putting information on the log in page of your website, putting information once they've logged in, occasionally alerting them to that. Sometimes putting pictures of phishing emails and letting them know that hey they there are these fake emails and we don't ask you for information.
So visually showing what these sites look like and also being very, very clear and specific and simple. For example, we will never ask for your Social Security number is one very simple message, and just make sure that you never break that rule and that you don't sometimes have a marketing thing that asks for it.
So it's keeping the message simple and making it easy to access on the internet; these intend to be the best way to educate customers.
FIELD: Earlier in the year Dave we heard an awful lot about vishing, the voice phishing attempts. I am curious one, whether that has remained a prevalent trend and then two, as you are looking ahead into 2009, what are you seeing emerging as the top phishing trends that people ought to be aware of?
JEVANS: Well we have definitely been seeing an increase in vishing, or voice phishing. Vishing can be very effective because you are sending an email out with no links in it at all to bad websites, which means they typically will get through a spam filter and those will have a phone number saying there is an issue with your account, so please call this phone number. Then the people of course call the phone number and it is a site hosted on the internet, and they are entering in their account numbers and PIN numbers and things like that.
That has risen to about 1% of phishing, and it continues to rise. The Federal Trade Commission has done a great job creating an educational warning message that the phone companies can place when they take down one of these vishing numbers. So sometimes you might call one of these, and if the phone company has taken the number down, there is a really great FTC educational and warning page.
By the way, one other thing that we have also done at the Anti-Phishing Working Group is we have put together a landing page that educates consumers about phishing, and we encourage ISP's to point to it when they take down a phishing site, so that if consumers visit those sites they get a very consistent educational message.
So back to the emerging threats of 2009, we think continued vishing, definitely much more targeted attacks, so we do know that there are tens of millions of people's data floating around from different database breaches. That information can be used to create extremely targeted phishing attacks.
We also will continue to see an increase in very technically sophisticated attacks against financial institutions and other companies directly. These will be attempts to install malware inside of the companies, attempts to steal access credentials to get into company networks. One thing we are particularly worried about that recently cropped up are phishers sending email to technical contact of a domain registrar. So for example, if mybank.com is the website, the webmaster who controls that would be email@example.com, they will send emails pretending to be from the domain registrar saying your domain name is about to expire and you need to update it or update your contact information. That will get sent directly to the technical contact and if that person were to fall for it and login using their name and password, then the bad guys could basically take over an entire bank's website and email traffic and redirect it to their own sites. So that is something we are quite concerned about, and we have already seen some of that in the last couple of weeks against some of the major registrars. So definitely something to be concerned about and to be very wary of on the bank IT side of things.
FIELD: So there continues to be more scary stuff that we need to be worried about.
JEVANS: Yeah, and you know they continue to get more professional is really what is going on. They are taking more time to think through the scam, and they are thinking through how to use third parties, non-obvious systems like social networks, professional social networking systems, stolen databases, and so on.
So the threats and the attacks are going to be things that it is probably difficult for us to image at this point because they are working through some fairly sophisticated scenarios and there are clearly some of these attacks where people have planned it for many, many months and are patient about trying to get a big score.
FIELD: Well, Dave, let's keep in touch and as we get into 2009 please keep us apprised of the threats and we will do our best to spread the work to the banking institutions.
JEVANS: Thanks Tom, great talking with you today.
FIELD: We've been talking with Dave Jevans, Chairman of the Anti-Phishing Working Group. For Information Security Media Group, I'm Tom Field. Thank you very much.