Security Vendors Increase Antiphishing Initiatives

Two of the security sector's leading vendors have stepped up their efforts to educate partners and users about the rapidly growing threat of phishing.

Trend Micro and Symantec have each launched formal and informal efforts to describe the seriousness of this issue, the potential effects and what people can do to slow its pace. Phishing occurs when spammers send legitimate-looking e-mail to customers of trusted vendors, like banks or credit-card companies, requesting passwords or other personal information under the guise of straightening out some nonexistent problem.

This week, Trend Micro released a survey of 1,600 non-IT professionals from various-sized organizations in the United States, United Kingdom, Germany and Japan. The study found that 43 percent of U.S. respondents have experienced a spam-based phishing threat, and half of all U.S. businesses with less than 500 employees have encountered phishing at work. At least one-third of these respondents said they lost personal information, experienced drop-offs in productivity or were victims of identity theft; one-fifth said they also lost corporate information.

Underlining the breadth of the problem, German respondents reported the most increases in phishing attacks among small-business users, while in the United Kingdom, phishing was more evident in larger organizations, where 41 percent of enterprise respondents experienced increasing encounters in the months leading up to the study.

The report's authors say that the phishing problem is made worse by the prevalence of spam, which "heightens the urgency for organizations to protect against both types of threats to ensure employee security and prevent costly impact to business." It also puts an undue burden on IT help desks, which are the logical destination of users seeking help for the problem.

Meanwhile, Symantec has conducted its own phishing research, reporting that it detected an average of nearly 400 new phishing attacks per week during a recent six-month period. The company has begun to analyze the techniques phishers use and how the average consumer can spot them online. Among the tactics malicious code authors use are mirroring the look and feel of a Web site or creating a fake URL spelled nearly the same as a legitimate one in hopes that a victim may not notice.

Vincent Weafer, Symantec's senior director of Security Response, says the 143 percent increase in malicious code attacks has run alongside the 800 percent increase of distributed denial-of-service (DDOS) attacks in the past year.

"We've moved away from the pandemonium-causing attacks in which a hacker was trying to make a name for himself to ones that are more financially motivated," he says. "We're entering a landscape that's more like crime in the streets."

The problem is that as security vendors, partners and users mobilized to head off the splashy worm and virus attacks during the past few years, their efforts unwittingly opened the door to these more insidious attacks.

"For the past couple of years, security attention has been geared toward large global threats," Weafer says. "With spam and phishing, security people are now fighting the lack of caring because people don't see the big attacks as much, so they don't think they have a security problem."

That is exactly what spammers and phishers are counting on, and their proliferation is creating a lot of work for solution providers.

"Of all the things I do, spam control probably is the most active area," says Cameron Spitzer, proprietor of Truffula Networks, a security and IT consultant in San Jose, Calif. "The biggest problem for the overall economy is spammers' and phishers' relentless search for new hosts. Customers have been using these new, elaborate content management systems that make it easy for them to find their way in."

But with no silver-bullet application or appliance that can stop phishing, vendors and partners must rely on educating users on how to change their own behavior to curb the problem. Trend Micro, Symantec and other security vendors stress how crucial it is to point out to users the different types of techniques used and then have them follow best practices in their online lives.

"As companies are rolling out new security technologies, they also need to deploy policy lockdowns and do regular audits of their systems," Weafer says. "The most successful companies at fighting spam and phishing have good architectures and extremely strong policies that are reinforced inside the organization."