Symantec Combats Phishing with New Services Offering

May 20, 2008 Alex Woodie

IT security giant Symantec yesterday launched a new initiative to fight phishing, pharming, and other rapidly spreading types of online fraud targeting banks, e-commerce sites, brokerage houses, and other B2B or B2C institutions where lots of money changes hands. Under the new offering, called Online Fraud Protection Services, Symantec will bring to bear a battery of methods and techniques to block attacks launched against individual companies and their brands and, if possible, work with law enforcement to put the perps behind bars.

It was with great fanfare that the world celebrated the 30th birthday of spam recently. The hammy substance was served, with a nod and a wink, in a cheeky affirmation of the impact that unsolicited commercial e-mail has had on our culture. Nobody really likes spam, but we view it as mostly harmless, so we can collectively laugh about it, and maybe even tip our hats to some of truly creative and funny pieces of spam we’ve received over the last decade.

Unfortunately, behind spam’s innocent facade lies a darker reality involving identity theft, organized crime, and billions of dollars in ill-gotten gains. At some point over the last five years, criminals realized they could use the techniques of the spammer–e-mail pitches sent to millions of inboxes–to direct people to counterfeit Web sites, where they are tricked into entering bank account numbers, PIN numbers, social security numbers, and other pieces of personal information that enable criminals to steal their money.

This activity is called phishing, and it’s spreading quite rapidly, according to Symantec’s latest bi-annual Internet Security Threat Report. “One of the most significant things that we saw [in the last report] was a precipitous increase in phishing attacks in the six-month period between June and December of last year,” says Ted Donat, director of product management for Symantec Consulting Services.

Phishing, By the Numbers

The number of phishing Web sites has skyrocketed, according to Symantec’s research. During the last six months of 2006, Symantec had recorded a total of about 13,400 phishing Web sites in existence. By December 2007, that number had increased by about 650 percent, to almost 88,000 phishing Web sites. And in just the first two months of 2008, the number of phishing Web sites jumped another 70 percent.

One reason phishing is taking off in popularity is because it is so easy to do, and so financially rewarding. Donat’s team performed a return on investment (ROI) analysis for phishing (using assumptions based on the effectiveness of legitimate direct marketing efforts), and the results are somewhat disturbing.

According to the ROI analysis, a phisher equipped with an easily obtainable phishing kit can send out 2 million fraudulent e-mails fairly easily, and the e-mails may actually get through to 5 percent, or 100,000 inboxes. The analysis then assumes that another five percent of this subset, or 5,000 people, will actually click on the link taking them to the phishing Web site, and two percent of that subset, or 100 people, will enter data. Assuming that the average person loses $1,244 per identity theft incident, the phisher stands to make about $125,000 from his or her work.

While individual victims lose money in the deal, the companies being spoofed by the phishing fraudsters also lose something: customers’ trust in their brands.

“What customers are saying is that, specifically at the financial services level, they are very, very concerned about brand erosion that results from phishing attacks,” Donat says. “If you get an e-mail in your inbox that purports to be from Ted’s Bank.com, and it’s a fraudulent e-mail, and then you go click on a Web site and can potentially lose money from it, that’s really an attack on the brand, because somebody has hijacked your brand for nefarious purposes. And the next time that user gets an e-mail from you, she’s going to think twice before clicking on it, or even worse, decide not to do business online with you because you’re not taking adequate steps to protect that.”

Symantec aims to protect the reputations of banks and other institutions doing business online with its new Online Fraud Protection Services offering, which launched yesterday. The offering is a comprehensive program that uses several approaches to fight the affect of phishing and other Web-based attacks, including pharming (where users attempt to visit legitimate site but are directed to a malicious site through DNS redirection), Vishing (involves a telephone), SMiShing (phishing via SMS), cyber squatting, typo squatting, form grabbing, screen dumping, code injections, and malware-based attacks.

Multi-Pronged Attack on Phishing

Symantec’s program starts off with an on-site assessment by a Symantec expert, who will analyze the customer’s risk exposure for online fraud, and then devise a plan and a series of steps to minimize that risk. This assessment costs about $75,000 for a typical bank.

The plan could call for a 24/7 incident-monitoring response capability, whereby Symantec security professionals will monitor the Web (via its Global intelligence Network, a series of sensors, decoy e-mail accounts, and desktop nodes) for phishing activity targeted at a particular bank or brand. Once they’ve spotted an attack, Symantec will take steps necessary to track down the source of those e-mails, send the perpetrators cease and desist letters, and follow up on those letters with the ISPs and regional authorities to get the sites shut down or the criminals locked up. Symantec can provide this brand protection services for about $100,000 per year per individual brand.

The plan could call for implementing stronger security mechanisms on the Web site, such as a two-factor authentication program or a secondary password checker. Symantec can assist with installing these systems. Customers with the highest needs might opt for Symantec’s on-site support. Under this program, a Symantec resident will set up shop in the company’s headquarters, where they will oversee brand protection activities. Symantec will charge about $250,000 per year for on-site support as part of this program.

Customers can also choose Symantec’s incident response services, which directs fraud-related calls to Symantec’s data center. Customers that don’t need the full support, from 8 a.m. to 5 p.m. every weekday, can opt to share this Symantec resource with other institutions for a reduced fee. Symantec will also work with the institution’s public relations department to implement customer education programs and making sure the PR personnel are prepared for the bad publicity that can result from attacks. The program even includes an option for the customer to OEM Symantec’s software and resell it to its customers.

Online Fraud Protection Services is a unique offering, Donat says. “We’ve done this for years on the security side with incident response, and now we’re repurposing it for specific online fraud incidents,” he says. “There are threats on the horizon. They may not be at your doorstep today, but they will be down the road.”

It takes a comprehensive program like this to combat phishing and “stay ahead of these folks who are very determined to steal this information,” Donat says. “It is very challenging to find these folks a lot of the times,” he says. “Most of the time we’re able to shut them down. Sometimes they may pick up and move someplace else, but at least we’ve got them on the run a little bit. We’re making it more difficult for them to do their jobs.”