March 14, 2006

Just when you thought it was safe to go in the cyber water, phishers have developed yet another way to outsmart current security technology. According to security solutions provider RSA Cyota (Bedford, Mass.), this new technique, dubbed smart redirection attack, is designed to ensure that potential phishing victims always link to a live Web site.

This development marks the third step in the evolution of phishing, says Naftali Bennett, SVP at RSA Cyota Consumer Solutions. "First we had simple phishing attacks with one hosted spoof Web site for victims to click to. We would then go in and shut the site down. The next was to have one phishing attack with several hosted spoof sites where you'd divide the total e-mails sent into smaller groups that connect to a given site. We've become efficient at taking these down. Now we have this new development."

According to Bennett, in smart redirection attacks, scammers build a set of sites where all the links in the phishing attack connect to a redirection or hub Web site. This hub site checks to see which phishing sites are still live and redirects victims to them accordingly. Even if a company shuts down some of the sites, there might still be a "survivor" site. He says the goal of this new strategy is to lengthen the duration of phishing attacks.

Technicians at RSA Cyota's Anti-Fraud Command Center discovered the technique and report that, so far, attacks on two different banks—one in the U.K. and one in Canada—have been detected. Bennett said RSA took the sites down and executed a procedure where efforts were concentrated on finding and closing the redirection site. Although this task is not always easy, he says going after the hub site must be the focus of anti-phishing strategies going forward. "This means that phishing attacks will be more effective until we deploy the new remedies," he explains. "We have over 80 banks (including Barclay's, ING and Washington Mutual, along with smaller FIs and credit unions) using our anti-phishing services. Those banks doing this on their own need to know it's not enough to just shut down one site [in a phishing attack]."

In general, Bennett says banks must take a broader view of fraud. "It's like having security patrols in your neighborhood to keep criminals out of the homes," he says. "That's good, but you still need locks on your doors. And it's even better if your house has an alarm. In banking, you need a good, but not burdensome, lock on 'the door' to your online banking site—the authentication part. Banks should also place alarms within their Internet banking sites to view all transaction activities, see where people are logging in from, whether someone is using a hijacked computer. Strong authentication at the door at login is important, but is not sufficient anymore."

ABOUT THE AUTHOR