Phishers targeting smaller financial firms, credit unions

By Marcia Savage, features editor, Information Security magazine 14 Feb 2008 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Financial institutions have long been a favorite target for phishing attacks, but attackers are broadening their focus. Security experts say smaller financial institutions, such as credit unions, are now being victimized as well.

Marc Gaffan, director of product marketing, identity and access assurance group at RSA Security, a division of EMC Corp., said phishers have always been a favorite of financial services firms because they are among the most lucrative targets.

But with larger financial institutions taking action to thwart phishing, Gaffan said attackers are shifting their focus to target smaller, regional institutions, including credit unions, because these firms have fewer resources to fight the problem.

More on phishing How to integrate social engineering into an information security assessment Resource center: Spam, phishing and social engineering

The RSA Monthly Online Fraud Report for December (pdf) showed that attacks on nationwide banks made up 26% of U.S. financial institutions targeted by phishers, down from 44% in November. Conversely, credit unions made up 45% of the institutions attacked in December, up from 33% the previous month. Regional banks represented 29% of those attacked, up from 7%.

In targeting local institutions, attackers sometimes send customers customized emails, which can be convincing, Gaffan said. "As a consumer, you might think, 'What are the chances someone would go after my small credit union?'."

Be proactive
According to MarkMonitor Inc., a San Francisco-based brand-protection firm, nearly a third of all phishing attacks in the third quarter of 2007 targeted credit unions.

Between January and November of last year, a majority of the top 10 brands targeted by phishers were financial services firms, said Laura Mather, senior scientist at MarkMonitor. She said attackers launch phishing attacks against financial institutions not only to steal money from bank accounts, but also to use accounts for laundering money.

"Phishers are equal opportunity fraudsters," Mather said, "and are happy to find the financial institution that has the least amount of protection."

Financial institutions are taking several steps to protect themselves. Mather said they're forming groups to track and shut down phishing sites, or they tap companies like MarkMonitor, RSA and others that offer antiphishing services. They also are using email authentication technologies such as DomainKeys Identified Mail, and educating their customers.

"In the last couple of years, the banks have really started to work on this [problem]," Mather said. "It hits their bottom line, so they feel they need to, but we're also seeing some banks being proactive," taking steps to mitigate attacks even though they haven't yet been victimized by phishing.

Attack from all sides
For its part, San Diego-based USA Federal Credit Union is taking a multi-pronged approach to dealing with phishing. The credit union, which has 61,000 members, uses a combination of antiphishing services from MarkMonitor, education for customers and employees, and a detailed response plan.

Carolyn James, senior vice president and CIO at USA Federal, said the credit union has been hit by mass phishing attacks that target multiple credit unions by spoofing a co-op network or regulators, but hasn't seen much in the way of attacks targeting its members.

USA Federal uses two MarkMonitor services: one a take-down service that James describes as highly efficient, the other an early warning system, which alerts the credit union of domain registrations using variations of its name or acronym. Some domain names are registered repeatedly and dropped if they don't get any hits, James said. In some instances, the credit union goes on the offense and registers the domains.

"We have maybe a dozen we've registered so far," she said. "It's cheap and it just gets them out of the wild."

The credit union has multiple tools to educate members, including a safety page on its Web site with instructions on how to report suspicious emails and how to identify phishing attacks.

"No matter what systems we subscribe to, our members are the ones who can really help prevent this from occurring if they're educated," James said.

Employees also are educated on phishing and other online threats via annual training programs, monthly security awareness posters displayed in key locations at every branch, and Internet safety tips on USA Federal's intranet.

Meanwhile, the credit union developed an incident response plan that includes steps it will follow in the event of a phishing attack, which will make the situation less prone to error, James said. "You can pick up the manual and start executing."

Tags: Data Protection Essentials,  Spam, phishing and social engineering attacks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach Spam, phishing and social engineering attacks Notorious spammer sentenced in stock fraud scam Judge rejects TD Ameritrade breach settlement FDIC warns of bogus emails Two Romanians suspected in phishing scheme extradited to U.S. Social engineering tests should make sense, not headlines Zeus Trojan hitting banking customers hard Five considerations for choosing network access control products Proposed expansion of top-level domains generates security concerns Online scammers exploit bank brands and consumers' financial woes BITS releases guide for implementing email authentication protocols

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary