Monday, October 18, 2021

New Anti-Phishing Law Lacks Global Weight

Security experts agree the anti-phishing legislation introduced to the

U.S. Senate last month is a good first step. But they also agree there

are bigger ”phish” to fry in the war against online fraud.

The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy (D-Vt.),

calls for the criminalization of two essential parts of phishing attacks:

The creation and procurement of Web sites with the intent to gather

information from victims to be used for fraud or identity theft; and the

creation or procurement of e-mail that represents itself as a legitimate

business with similar intent.

”The digital age has fostered new types of cyberscams like phishing,

costing consumers and businesses billions of dollars a year and

undermining confidence in the Internet,” Leahy says. ”When people

cannot trust that Web sites are what they appear to be, they will not use

the Internet for their secure transactions.”

It’s the threat of consumers turning away from online transactions that

has the business and security communities worried. And while they applaud

Leahy for his efforts to help law enforcement catch and prosecute

phishers before they commit serious crimes, they warn that the act only

covers attacks within the U.S.

”Phishing is an international crime. It [crosses] many jurisdictional

frontiers,” says Peter Cassidy, secretary general of the Anti-Phishing

Working Group (APWG), a global association of law enforcement and

companies focused on eliminating identity theft and fraud. ”You can have

someone in Romania using servers in Canada and South Korea to rob people

in Hawaii. That makes this a difficult crime to stop.”

Cassidy says conventional phishing is steadily rising in terms of e-mails

that go out and servers that are enlisted in scam campaigns. In fact,

according to a January report from the APWG, 80 percent of phishing

attacks are conducted in the financial services sector. Cassidy says

banks are getting much better and quicker about stopping the attacks,

using monitoring and detection tools as well as browser-based heuristics.

However, he adds that phishers also are getting better at creating new

tactics. ”There’s an escalating confrontation between phishing and

counter-phishing movements.”

In fact, security experts are seeing an influx of new phishing techniques

that bypass e-mail altogether.

”We’re seeing a migration of phishing toward malware,” says John Ball,

senior product manager at WholeSecurity, Inc., an Austin, Texas-based

developer of anti-phishing tools. ”Trojan horses are being downloaded to

machines when you click on a URL.” That malware is then used to collect

keystrokes, gathering usernames, passwords and account numbers that the

victim enters into legitimate Web sites.

Stopping these types of attacks, which are sometimes referred to as

technical subterfuge, is difficult, Ball says. ”People want to click on

URLs. They’re curious. And phishers rely on social engineering.”

The real harm in all of this, in addition to the financial losses caused

by identity theft, is the damage done to corporations’ brand and

valuation.

”Financial institutions have made infrastructure changes that they can’t

go back from,” says Craig Spiezle, director of history and external

relations at Microsoft in Redmond, Wa. Banks rely on online transactions,

stock trades are confirmed electronically, 401k program statements are

sent over the Internet, he notes.

”They’ve moved to the electronic age and phishing risks undermine

this,” he says. If consumers lose confidence in doing business online,

companies have no means to reinstate their ”live” infrastructure. ”No

one wants to wait for this to go out of control. That’s why they’re

spending so many resources to work on the problem.”

One such effort was announced in December. Digital PhishNet is a

coalition of companies and federal agencies — Microsoft, America

Online, Inc., VeriSign, Inc., Earthlink, Inc. the FBI, the FTC and the

U.S. Secret Service. The group’s goal is to provide a single avenue for

communication among the industry and law enforcement to help catch

phishers in a timely fashion.

Spiezle says the group already has seen success by stopping a fraudulent

e-mail regarding the tsunami relief effort. With the help of Digital

PhishNet, ”we were able to catch the person within 28 hours,” he says.

Industry analysts say coalitions and legislation tackle one part of the

problem. But user education is a far greater challenge.

”We have to teach people to behave in ways that are defensive,” says

Mark Gibbs, president of Gibbs & Co., a California-based Internet

consultancy.

Gibbs says companies doing business online, such as banks, should have a

better strategy for authenticating their communications with customers.

He argues that the industry should have a universal online agreement that

users can be trained to understand ”in much the same way children learn

not to go with strangers”. The strategy would have to include simple

rules, such as letting users know that no legitimate email would include

a link for users to click on.

WholeSecurity’s Ball agrees that consumer awareness is key.

”The government should be educating consumers on this type of threat,”

he says. ”There will always be people who fall for phishing attacks, but

you can reduce the impact.”

Similar articles

Latest Articles