Leap Fraud

New phishing, social engineering exploits are outdating old-school security tactics

4:50 PM -- In the good old days, you could spot a security threat just by watching the network. Monitor the access points, check the logs, look for disruptions in traffic or anomalous activity. Good, techie stuff that you could get your hands on.

These days, however, the exploits are better camouflaged. Rather than breaking into the network physically, attackers are increasingly finding ways to gain access to the enterprise at its weakest point: the gullible user. These aren't old-school "hackers" just trying to get in; these are new-school fraud artists trying to bring data out.

But don't take our word for it -- take a look at what's happening in the world of phishing right now. (See New Phishing Exploits Emerge.) The Anti-Phishing Working Group says 137 organizations reported phishing exploits in May, the biggest one-month jump since December of last year.

Keyloggers are the most serious threat: One attacker used the same keylogger to try to crack accounts at more than 1,000 banks and financial institutions. Many of these keyloggers are carefully camouflaged, routing users to a real-looking Web page or form field where the attacker can steal sensitive keystrokes.

If online phishing exploits aren't enough, some attackers are mounting convincing social engineering attacks on users right on the premises of the business. (See Social Engineering Gets Smarter.) Penetration testing companies say the culprits usually have no trouble convincing a naive receptionist or other employee of their need to jump onto the corporate network, and then exit just as neatly.

Clearly, the computer fraud artist is becoming at least as dangerous as yesterday's tech-savvy, network-busting hacker. But users and vendors are fighting back. Last week, Cydelity rolled out an online fraud-detection appliance for financial institutions that helps IT managers identify frauds and thieves, not only by their exploits, but by their behavior. (See Fraud Monitoring Appliance on Tap.)

Cydelity's appliance joins RSA's FraudNetwork service on the growing list of products and services that enterprises can employ to identify and fight phishing and social engineering attacks.

Soon, ISPs may have a weapon as well. MarkMonitor, a well-known, fraud-detection technology vendor, last week acquired CollectiveTrust, which offers a client-side tool that alerts users of potentially fraudulent Web pages and sites. (See Warning Users of Dangerous Clicks.) When MarkMonitor and CollectiveTrust get their technologies together, they could help ISPs to warn users about potentially dangerous URLs -- before they click over to them.

There is much work still to be done on fraud detection. End users must be trained to spot the warning signs of fraudulent communications, and how to avoid being drawn in. Vendors need to develop more comprehensive databases of phishing and social engineering schemes, along with methods to warn users about them quickly. IT organizations need to seek out better technologies for monitoring and enforcing their policies on online and physical security.

If last week's developments are any indication, there is help on the way, and maybe soon, we'll stop feeling nostalgic for the good old days.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading: