2: E-mail Threats and Attacks
28
warn potentially susceptible recipients about their
questionable provenance.
There’s something phishy going on
Staying with the theme of fraudulent messages, we
come to the specific category of phishing, so
named because perpetrators use the messages to
fish for sensitive information from any recipients
that they manage to hook. The aim is to trick the
user with an e-mail that purports to come from a
legitimate source and which presents some pretext
for requiring information from them (typically
collected via an accompanying website). A good
definition of the general problem is provided by
the Anti-Phishing Working Group (APWG):
a criminal mechanism employing both social
engineering and technical subterfuge to steal
consumers’ personal identity data and
financial account credentials
9
Phishing represents a significant threat, with the
APWG receiving an average of 30,880 unique
phishing message reports per month in the last
quarter of 2009, alongside an average of 45,873
unique phishing websites being detected per
month in the same period. As an example of the
problem, a typical message is presented in
Figure 5. In this case the message is not
particularly convincing, with rather untidy
formatting and a solicitation to follow a link that
9
APWG. 2010. Phishing Activity Trends Report – 4
th
Quarter 2009. October – December 2009. Anti-Phishing
Working Group.
www.apwg.org/reports/apwg_report_Q4_2009.pdf
(accessed 1 September 2010).
2: E-mail Threats and Attacks
29
does not look remotely like it belongs to the bank
HSBC (the claimed sender). However, there is still
a risk that a naïve HSBC customer might receive it
and be so concerned by the potential for their
account to be disrupted that they comply with the
request without thinking.
Figure 5: An example of a phishing
message
The targeting of HSBC in this example
demonstrates the wider problem facing online
brands, which may find their name being used as
the basis for a scam and their customers being
targeted as the intended victims. According to the
2: E-mail Threats and Attacks
30
2008 ISBS,
10
companies across every sector
reported phishing incidents in which their brand
had been impersonated by e-mail. In most cases,
this was fairly infrequent, with 50% reporting one
incident and 31% reporting ‘a few’. However,
among the remainder there was somewhat more of
a problem, with 9% of respondents experiencing
one incident per month, a further 9% one per week
and 1% claiming daily occurrence. The findings
also reported that companies accepting online
orders were slightly more likely to find themselves
being targeted.
One of the challenges of handling phishing is that
there is no definitive checklist of visible indicators
that you can use to ensure that a message is
genuine. There are certainly some things that you
might look out for in order to raise suspicion (e.g.
messages claiming to be from credible sources that
appear unprofessionally formatted or poorly
written, that seek to guide you to an address that
does not appear to match the claimed source, or
which ask you to verify account details), but the
key point is that the absence of such indicators still
does not mean that a message is actually safe.
The fundamental point is that it is very difficult to
judge the legitimacy of a message from
appearances alone. Indeed, to illustrate the point
we can consider the findings from a study in which
179 end-users were asked to consider 20 potential
phishing messages, and determine whether they
10
BERR. 2008. 2008 Information Security Breaches
Survey – Technical Report. Department for Business
Enterprise & Regulatory Reform, April 2008. URN
08/788.
Get Email Security: A Pocket Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
