Identities Lost in Phishing

i just opened this discussion on the phishing mailing list. you are all invited to join in.

as i often comment, it is funny to me (not really but hold on) when people scream about this or that organization losing a laptop with 20k identities. what’s 20k?

obviously that is important, and speaks volumes of corporate security and of privacy issues. still, it is insignificant in a laughable fashion when compared to what’s being stolen daily online.

every day, millions of online identities and website credentials are lost. millions. every day.

this is done through trojan horses which are spread (bots, worm fashion) among an immense online population. there are thousands of new variants to these bots coming out every month
dedicated specifically as a targeted attack on online financial institutions.

these attacks target the financial online sites (banking, ecommerce, etc.) not by attacking them directly on the macro level, but rather by multiple micro-level attacks against their users, en-masse.

these trojan horses (bots) are so advanced, the utilize rootkit technology, and when the user surfs to an https site, use man-in-the-middle attacks on the machine itself to steal his or her

these credentials in turn are sent to the remote attackers for further processing.

a lot of money is lost this way. this is a world-wide problem, but it is especially apparent (as the bad guys utilize the data more and more) in, but not limited to, the uk and europe.
in the us this is a growing trend, but it is mostly ignored by the defenders (most are not aware of it) as regular primitive “email phishing” is still the most apparent threat there. this is largely due to us banks still mostly using username and password authentication.

email phishing is important and a large threat, but it is doomed to death (it will still be here 10 years from now, like nigerian scams are here today, but as a specific threat it will diminish into obscurity.

phishing today should become the root in a tree called online financial fraud or efraud. that, friends, is not going away whether in blogs, trojan horses, email or your cell phone.

these trojan horse attacks, as they are located on the user’s machine itself, are not stopped by 2-factor authentication, etc. there are things that can be done, but when the security problem is on a remote machine not under the, say, bank’s control, there is not much they can do with their current confidence risk assessment systems.

there are solutions, but these are to be discussed another time. it is obvious that one of the biggest problems facing banks, and especially ecommerce sites (without the physical-space presence) is how to establish reputation systems that will provide with a technological risk assessment confidence decision as to how safe it is to work with a remote user.

the web channel is the cheapest and most effective in banking today, and banks will not want to lose it.

we (alan solomon and myself) cover some of the market involving this technology and how it works in a recent paper we published in the virus bulletin september edition:

others here with experience on this, who are willing to talk, please share your experience with us.

gadi evron,