Phishing is alive and thriving, according to the recently released report from the Anti Phishing Working Group (APWG).  Unique phishing attacks reported to APWG reached an all time high in Q3 of 2009 – up 10% from the previous record. (Q4 data is not yet available.)

You can find the report at http://www.antiphishing.org/reports/apwg_report_Q3_2009.pdf

Are people getting smart about phishing? Yes, but the attacks seem to be getting smarter, and more targeted.  More than half of the reported attacks targeted the financial services industry, with the payment services industry next in line with 26%.

It’s no time to be complacent. Protect your accounts with strong authentication, which foils phishing attacks.

(Disclosure: TriCipher is a corporate sponsor of APWG, but did not contribute to the report.)

As businesses grapple with how to handle social media, they are also asking questions about security. Are social networking sites like Facebook and Twitter actually eroding security for business applications?

In and of themselves, social networking sites typically are pretty secure. But they are inherently more susceptible to phishing attacks than other types of sites. This is due to the layer of trust built into social networks.  If you get a direct message that seems to be from a trusted friend, you are more likely to believe it and click on its link than if it is from a Nigerian prince.  That’s just human nature.

However, the question remains whether social networks affect security beyond their own applications. The answer is a qualified yes – not because they are inherently insecure but because they help attackers exploit a major weakness in our standard operating procedures today: sharing passwords between accounts.

Faced with dozens of accounts and passwords to remember, we tend to use the same ones across many accounts. That’s the reason that attackers are targeting Twitter and Facebook accounts.

Says Suzanne Choney in the MSNBC article on the topic, “It’s not so much that a crook wants to read why you’ve written on Twitter, or start posting your tweets. Rather, criminals are looking to see if your account information is the same for other accounts, including those for banks, where the reward for such phishing is more lucrative.”

So the fault lies not with social networks themselves, but with the plethora of accounts that we’re asking people to remember (and perhaps the limitations of human memory and patience).   That’s why secure single sign-on is increasingly a business necessity.

Like it or not, your business users today are on social networks.  According to the Forrester Report “The Broad Reach of Social Technologies“, half of US adults online participate in social networks like Facebook. Yep, your business users are there already.  So don’t make them share credentials with the web accounts they use for your business – give them secure single sign-on instead.

Cute neighborhood children aren’t the only ones dressing up in disguises this October – attackers are finding new ways to hide behind password resets or faked login screens.  The news on October 28^th had two particularly scary stories:

• A new Facebook attack implants a Trojan by pretending to be a Facebook password reset. (See the Computerworld article.)

• A new Twitter phishing attack sends direct messages with links to a fake Twitter login page. (See the Cnet posting.)

I’m not sure what’s more frightening – that these attacks are happening, or that so many people are still susceptible to them.

In the Facebook article, many users reported that they pulled the malicious mail with the zipped executable OUT of their junk mail filters because they thought it was legitimate. Yikes.

In another password-related article, the Wall Street Journal profiled a small business where all users shared a single password to access important applications. Better yet, the password was ‘password’ – now that’s a frightening story.

We can keep shouting from the rooftops about changing passwords and using strong passwords – but it is better, from a business risk perspective, to just stop relying on passwords for our application access. Instead, use federation strengthened with multifactor authentication. Then all of these scary stories won’t keep us up at night.

Photo: http://www.flickr.com/photos/orangeacid/ / CC BY 2.0

Last week, attackers apparently posted over 10,000 Microsoft Windows Live Hotmail passwords on the web on a developers’ website.  Neowin.net broke the story at http://www.neowin.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online

Microsoft has confirmed the story and indicates that it is not the result of a breach on their part—presumably, users were victims of phishing attacks.

You might think the threat is contained – the passwords have been pulled off the site, and HotMail users of simply change their passwords. All better, right?

No – this breach can have ongoing, insidious effects for individuals and businesses alike. Malicious individuals with access to those accounts can exploit opportunities for theft and damage through shared passwords and insecure password reset processes.

Shared passwords.  Everybody does it – we pick a few passwords and use them across many different accounts. Anyone with access to those Hotmail passwords has a pretty good chance at breaking into other accounts owned by those individuals – perhaps even Salesforce or Google Apps accounts hosting their employers’ data.

Password resets.  For too many applications, if you own the email with the application you own the password reset. Even if attackers cannot guess the password for an app, they can reset it to one of their choosing. And if applications send passwords in the clear in email, attackers don’t even have to reset—they can browse through old emails for passwords.

So what should you do? If you’re a Hotmail user, reset your Hotmail password and the passwords for any other accounts that shared the same password.  And if you’re a business, use a service like myOneLogin, with strong authentication, to insulate your business from the potential effects of password breaches like this.

The Memorial Day weekend brought yet more phishing scams targeting Facebook in the form of messages containing URLs leading to malicious sites.  For Facebook users, this means looking with distrust at the inbox messages from friends. For more details, see http://mashable.com/2009/05/25/facebook-tinyurl/

Why would attackers focus on a site like Facebook that is more about what we did this weekend than where our bank accounts are stashed?  There are several reasons:

•    Facebook pages contain a rich lode of information about a person, their friends and connections that could be used for identity theft, “spear-phishing” or other malicious purposes.

•    Most likely, phishers hope that people re-use the same accounts and passwords across other accounts (and research proves that in many cases, we do). So gaining access to a Facebook account potentially opens other doors.

The Facebook Connect initiative, by which participating sites agree to accept the Facebook account and password as “trusted authentication,” only makes these accounts potentially more attractive to attackers.

Facebook is a community built on trust, making its users more vulnerable to well-crafted phishing attacks. By definition, when you’re looking at your Facebook inbox or clicking on a posted link, you believe you’re looking at things posted by your friends. These phishing attacks slowly erode some of that trust.

Researchers at the University of California Santa Barbara managed to infiltrate a botnet and observe its operations for 10 days. The published report is available at
www.cs.ucsb/edu/~seclab/projects/torpig/torpig.pdf

The botnet’s apparent objective was obtaining financial information. The researchers observed that the virus used not only passive password monitoring but also active phishing to try to elicit specific financial credential information from its victims.

And it was successful:
• The botnet stole almost 300,000 login credentials during the observation period.
• More specifically, it obtained 8310 accounts at 410 financial institutions.
• 28% of the victims reused credentials between different sites.

The UCSB researchers learned quite a bit about how malicious botnets work. But the rest of us can take away valuable lessons as well.

First, we like to think we’re immune, but we’re not. The victims ranged from students to the CEO of a tech company. One proudly claimed that an antivirus program had cleaned his computer. Clearly antivirus programs don’t work all the time. Roughly 20% of the victims were connecting from publicly-accessible systems.

The biggest lesson is this: business and financial web applications need strong authentication – a second authentication factor in addition to an account and password. It’s simply getting too easy for attackers to discover our passwords and gain access to valuable information in web applications.

I just read the article “Phishers get more wily as cybercrime grows” by Diane Bartz for Reuters, profiling the new and creative ways that phishing attacks are escalating. Apparently the newest variant is ’smishing’, which is phishing by SMS text messages. See http://tech.yahoo.com/news/nm/20090417/tc_nm/us_cybercrime_1.

The article quotes Michael Barrett, Chief Information Security Officer at Paypal, saying that phishing “was impacting their view of the safety of the Internet and that it was indirectly damaging our brand.”

Paypal is a company that gets it – that phishing is most definitely their problem. They’ve taken aggressive tactics to block spam emails purporting to come from Paypal.

At TriCipher, we’ve been on the phishing crusade for a while now. We think that one of the best ways online businesses can protect their brands from phishing is by adding strong authentication to access their sites. And we’ve got an easy way for web developers to implement strong authentication without software, using web services calls to our service. See http://www.myonelogin.com/strong_authentication.html for more information.