|
|
 |
|
 |
 |
|
|
Have you received an e-mail recently asking for information about your online bank account? Chances are, as a savvy cybercitizen, you didn't fall for the familiar scam. Chances are just as good that some less sophisticated recipients did. Again.
The simple attack known as phishing uses spoofed e-mails masquerading as legitimate messages to lure recipients to fake Web sites, which are designed to trick them into parting with sensitive information like user names, passwords, account numbers, and social security details. And for cybercriminals, phishing is the gift that just keeps on giving. The Phishing Activity Trends Report (Q1, 2008) from the Anti-Phishing Working Group (APWG) notes that the number of crimeware-spreading URLs rose to a record 6,500 in March 2008—up 93% from the previous high 3,500 in November 2007. The number of hijacked brands rose from 131 to 141, while the total number of unique phishing sites detected by the APWG was 25,600.
What's behind the continued rise in numbers? Simply put, phishing works—at least for the bad guys. And it should come as no surprise that they're hard at work developing new methods to fool increasingly wary users and elude security tools. While the transparent (and transparently fake) come-ons and queries are still making the rounds, these days phishing exploits tend to be more sophisticated. Further, the target base is expanding, as business executives increasingly find themselves on the receiving end of highly targeted e-mail messages meant to fool them into sharing confidential information they have access to, whether it's personal data, business plans, or financial details. Such attacks are also known as "whaling," reflecting the relative size of the quarry, not to mention the greater financial stakes.
Phishing has also extended itself into the world of Web 2.0 social networking. In a recent scam targeting Facebook users, attackers spoofed the site's official domain for out-bound e-mails to send messages that appear to be from a network "friend," with a zip attachment said to contain an image. But the attachment in fact contains a malware installer. The body of the e-mail also contains a Facebook log-in page, giving the greater appearance of legitimacy—but quite possibly functioning as a fake front to a phishing site.
As employees blur the line between online activity at home and online activity in the workplace, phishing is increasingly putting business data at risk. Security solution providers need to make their customers aware of this—while reminding them that education is an important part of mitigating the potentially damaging impact of phishing attacks. Keep workers aware of the latest exploits, train them in how to spot (and report) suspicious messages, and enforce acceptable use policies (AUPs): Those are the tried-and-true approaches to any exploit rooted in social engineering techniques.
As for the technology, inform them of the need for a comprehensive approach to security. Websense Essential Information Protection (EIP) is proven in controlling all the critical elements of Web, data, and messaging security. It's based on best-in-class products and hosted solutions that provide powerful policy-based control to help companies safeguard their data.
Phishing may be a familiar and straightforward exploit—but as cybercriminals target ever-more valuable data, it's also one that requires extra vigilance.
|
|
|
| |
|
|
 |
