Tuesday, April 24, 2007

Phishing Credit Unions

You may have caught this story in the Washington Post about hacked servers and phishing attacks at Indiana U. If you haven't, I recommend that you do read it. It stars Phishing's man of the hour, Chris Soghoian. Go on. I'll wait.

OK, so the interesting thing about the phishing attack at IU is that it seems that the phishermen were targeting specific credit unions. From the standpoint of traditional bank phishing attacks, targeting small credit unions doesn't make a ton of sense. Local credit unions typically have only thousands or tens of thousands of members. Chase, BofA, and Citibank, for example, all have millions of members worldwide. That's why originally, the big banks were the primary targets of phishing. That seems to be changing, though.

Old model:
Build phishing site that looks like global bank's website & write convincing phishing e-mail. Spam e-mail to tens of millions of addresses. Wait for victims to hand over credentials. Steal info, empty accounts, sell on IRC. Site is shut down in less than a week because high volume of spam == high likelihood of landing in a spam trap or being reported to bank, ISC, CERT, etc.

New model:
Build phishing site that looks like local credit union's website & write convincing phishing e-mail. Spam e-mail to domains of companies listed on credit union's list of select employer groups. Wait for victims to hand over credentials. Steal info, empty accounts, sell on IRC. Site is up longer because the likelihood of being detected is less (no spam traps), and most credit unions outsource infosec functions and only keep a small IT staff so reaction times are typically slower.

To review, credit unions make good phishing targets because they:
1. Outsource lots of IT & infosec functions.
1a. Pay for infosec work required by NCUA and PCI, but neither requires policy/procedure for responding to active phishing attacks.
2. Publish list of companies whose employees are eligible to join, making it easy to target spam to members.

The easy solutions to CU phishing, like making the employer list private, suck because they can have a negative impact on business. So here's a crazy thought. There's a niche in phishing detection for CUs. You would need to create a phony web/email presence, put the fake company on the CU's employer group list, and then wait for hits and coordinate the response to members, antispam vendors, the ISP of the phishing site, and law enforcement. Credit unions already like outsourcing infosec, and the best way to be cost-effective at this is to service multiple credit unions.

So, uh... gotta go. Got some VC folks to call.

No comments:

Post a Comment