Phishing--who's taking the bait now?

Phishing crooks aren't staying still--they're getting smarter.

Phishing is a technique used by hackers in which spammed e-mail draws you to a phony Web site that looks amazingly like that of a trusted institution such as your bank. Once there, victims unwittingly disclose personal financial information that the phisher uses to defraud the e-business and conduct identity fraud and theft. Because of well-publicized phishing attacks, most people are now sensitized to these scams.

There is now an even scarier development on the phishing horizon--one in which e-businesses may become unwitting accomplices, because it is difficult for even the most savvy of Web users to detect. "Blended phishing" attacks employ a trusted organization's legitimate site, rather than a mock site and a fake URL address. The result is that even the most cautious users are unlikely to recognize the bogus link as a threat.

These attacks combine traditional phishing methods with another technique known as cross-site scripting, which can cause major damage by executing illicit scripts on the victim's browser. The trigger is a link in the e-mail with an embedded script.

Blended phishing is encouraging even more users to take the bait.

After clicking on the e-mail, the victim is sent to the legitimate Web site, where the malicious link can then perform a number of actions, such as generating a pop-up login that, when populated, can give a would-be hacker access both to the site and to the victim's personal information. The link could also load a Trojan horse or virus onto the user's machine.

Phishers can even use cross-site scripting to deface a Web site by inserting images from another site in place of those normally present. Because the scripting doesn't install anything on the server, the target company does not know its site has been defaced and its brand damaged until informed by visitors.

As Web sites increasingly add dynamic content to provide a richer user experience, the organizations running the sites have less control.

Related feature
Have you been phished?

Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

According to the CERT Coordination Center, a federally funded security research and development center, "Web sites that generate only static pages are able to have full control over how the browser user interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if untrusted content can be introduced into a dynamic page, neither the Web sites nor the client has enough information to recognize that this has happened and take protective actions."

Businesses need to take steps today to protect company Web sites and end-users from blended phishing attacks. For example, education and communications campaigns can warn users to avoid clicking on links sent via e-mail. The industry can also encourage users to enter the URL directly into the browser address bar, or select it from a list of favorites.

However, phishers rely on a false sense of trust, so they can encourage more victims to take the bait. Few users can identify malicious code content, and despite the risks, most users will likely avoid typing in URLs when they can simply click on one.

Blended phishing attacks could be prevented through programming techniques. But since there are many methods phishers employ to encode and disguise characters, this would add to the length and cost of development efforts, because complex and computationally intensive validation would need to be performed on each field.

Phishing is already causing damage to e-business.

Another approach is to centralize this checking prior to the request reaching the application. Application-layer security can block harmful characters no matter how they are encoded or disguised. This allows organizations to develop rules that can be automatically applied across all parameters on all pages. Web application firewalls and gateways can provide the required protection without the e-business having to impose additional work on already-overburdened Web developers.

Companies cannot prevent hackers from sending the e-mails, and they can't prevent all users from clicking through well-disguised links. However, they can block malicious code by proactively scanning a site and filtering the HTTP traffic as it enters their enterprise. This approach protects both the company and its customers from blended phishing attacks as well as from a great many additional attack techniques.

Phishing is already causing damage to e-business. It is a threat to the growth of online transactions and a threat to consumers, who are at increasing risk of identity fraud. Blended phishing is encouraging even more users to take the bait.

But the greatest threat of all may be to the reputation of companies doing business online. Preventing blended phishing attacks is essential for efficiently protecting both businesses and individuals and ensuring a safe and fair online marketplace.