IT security is multi-faceted and ever-evolving, and the criminal act of phishing is the latest form of malicious software to be drawn to the public’s attention.
Apacs figures confirm the number of phishing sites grew more than six-fold during the past year. Although a lot of high-profile media coverage raises awareness of personal identity and theft through conventional phishing, “spear-phishers” are a less publicised phenomenon.
A spear-phishing message looks like it comes from your employer or a colleague who might send IT communications and could include requests for user names or passwords. In fact, the e-mail sender information has been spoofed in an attempt to gain access to a company’s entire computer system.
As always with IT security, the measures needed to address phishing cross multiple parties and jurisdictions. Not only is there the need for businesses to educate employees, the technology industry as a whole needs to approach phishing on three levels: partnerships, technology and education.
Last month, Microsoft launched its Global Phishing Enforcement Initiative (GPEI). Part of the initiative focuses on quickly identifying and shutting down domain names that spoof Microsoft brands. So far, this has been effective in the US, resulting in an 80% drop in phishing-related attacks on our brand. With this success in mind, we recommend these measures to other companies that are liable to attack.
The major thrust of the GPEI, however, is partnering with relevant organisations such as Interpol and EuroISPA, the pan-European association of internet service providers.
The pervasiveness of the phishing threat makes partnerships and co-ordinated action essential. Microsoft already partners with public and private sector organisations around the globe, including the Anti-Phishing Working Group (APWG).
The GPEI is a sustained effort by Microsoft to bring legal action against phishers. The company will engage in 100 legal actions against phishers in 10 European, Middle Eastern and African countries over the next few months, in addition to 123 civil cases already raised against phishers worldwide.
Through technology, Microsoft advocates the development of a “trust ecosystem” that creates an environment where people, devices and code can be properly identified and held accountable for their actions. The ecosystem underpins industry-wide support of an interoperable and open standards-based identity metasystem.
Other key tenets of Microsoft’s overall security technology include the way the company develops new code and removes security complexity for IT professionals and consumers. The final component is building confidentiality, integrity, availability and accountability into the Microsoft platform, as Windows Vista will demonstrate.
Microsoft is also collaborating on an internet standard proposal designed to help eliminate domain spoofing and provide greater user protection against scams. Internet Explorer 7 has been improved to help protect consumers and now includes a phishing filter that detects suspicious sites. There are also several technologies within Windows XP SP2 that help thwart common phishing methods. With many phishing attempts initiated through spam e-mails, Hotmail’s anti-spam technology is already stopping 3.4 billion spam e-mails a day.
Improved awareness of phishing helps to combat the risks presented. To that end, Microsoft remains committed to training its internal developers (almost 600 employees now CISSP certified), partners and law enforcement personnel (1,200-1,500 annually). The company also supports numerous awareness campaigns; including www.microsoft.com/security and government-led initiative www.getsafeonline.org.
Success in combating phishing means that, hopefully, by Infosecurity Europe 2007, phishing will have dropped out of the limelight. The ever-evolving threat landscape created by sophisticated cyber criminals will have doubtless moved the game on, but industry efforts as a whole will aim to make it harder for them to succeed.
Ed Gibson is chief security adviser at Microsoft UK. Microsoft will be exhibiting at stand 610 at Infosecurity Europe 2006
This was first published in April 2006