Phishing Attacks On CUs, Community Banks Rising, Firm Says

ATLANTA – If your $400 to $500 million credit union hasn’t been phished yet, experts say that it is only a matter of time until it is. Phishing attacks, those in which criminals intent on fraud send e-mails seeking to fool consumers into visiting phony Web sites and revealing sensitive information, are increasing both in number and sophistication and targeting more credit unions and community banks according to SecureWorks, a managed security service company which specializes in combating the problem. The company reports that it has “taken down” nine sophisticated phishing attacks in the last three months and that three of those nine were aimed at credit unions, though the company declined to identify which ones. “In many ways the phishing phenomenon we are seeing now is a downstream development,” explained Erick Petersen, vice president with the company. “First it was only the really big banks that were being phished and now it has moved downstream to the smaller banks and credit unions,” he said. In one recent case, he added, the phishers had both hacked a credit union’s server to get access to credit union images from the credit union’s legitimate Web site in order to use them on the fake Web site which they had established in a foreign country. “The attacks are getting more well-planned and in many ways more brazen,” Petersen said, although he stressed that the cost of the planning and executing the attacks has remained low enough that there was little chance they would begin to diminish anytime soon. All they need to do is get one or two credit union members to come to their site and give them their information to pay for their work, Petersen explained, that’s how low the cost of these schemes can be. SecureWorks offers credit unions protection of corporate networks, servers, and e-mail environments on a monthly basis for a fee that it based on the numbers of the firms’ devices needed for the protection and how much proprietary software is needed. The security firm offers its “take down” service in which it will locate and shut down sites that phishers have set up as an additional service requiring an additional contract. Petersen explained that the larger banks appear to have concluded that some degree of phishing losses are inevitable and thus are unlikely to seek outside help in fighting them. Not every financial institution would be interested in having an anti-phishing service included in SecureWorks package of core services. Law Enforcement Involvement? Many credit unions will probably be surprised to learn that U.S. law enforcement doesn’t always get involved in every phishing attack, Petersen explained. If the attack is based in the U.S. and has a false Web site which is based in the U.S., the U.S. Secret Service will certainly get involved as soon as they are called. But if, as is often the case, the attack site is located in another country it can be a exercise in persistence and patience to get the site taken down, much less the site-builders prosecuted. “The phishing sites differ a lot in terms of sophistication,” Petersen said. “Some of them are very basic sites that just sit there waiting for unsuspecting customers to get sent there, others have multiple sites that can serve as backups should the first site get taken down.” The company describes an attack on a bank in November in which the bank client alerted the firm that someone was trying to obtain sensitive client information through a phishing scam. SecureWorks analysts began investigating the malicious e-mail being sent to the bank’s customers, and after decoding the e-mail found that the phisher was using various types of redirect methods to obscure the true phishing site. After further investigation, SecureWorks noticed that the phisher had transferred authority of the domain name to another server that was compromised and was acting as a so-called poisoned server. Through this poisoned server, SecureWorks found nine different compromised host servers sitting in Russia, Japan, Belgium, Germany, US, etc. They were the fallback host servers, whereby the phisher could host the replacement phishing sites (as others got taken down). Being that there were nine host servers, SecureWorks suspected the phishers were probably using a network of robot computers to control the compromised servers. No matter the level of sophistication, Petersen said, if the sites are overseas it is unlikely that anyone will be caught and it will take some time to shut them down. Petersen stressed that it was not because anyone in the foreign governments or ISPs did not want to shut them down, but the differences in time zones and other difficulties getting a hold of foreign ISPs made it very difficult. Sometimes the only way SecureWorks can take down overseas phishing sites is to make use of its contacts with the United States Computer Emergency Readiness Team (US-CERT), a branch of the Department of Homeland Security which, in turn, often has connections overseas. Credit unions need to start preparing to fight these attacks by recognizing that they can occur, Petersen said, and by training their members and their staffs about recognizing attacks. Too many credit unions who contact SecureWorks have logs which indicate they started taking phone calls from members about these fake e-mails two or three days before the CU finally got around to asking for help, Petersen explained. “In other words, the attack had been going on for two or three days before the CU was really aware of it,” he said. Credit unions need to have a set of procedures in place for what to do in an attack of this sort, he stressed. [email protected]