Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on April 17, 2007 8:31 AM.

The previous post in this blog was Authentication measures don't stop phishing.

The next post in this blog is Maturing market - botnets battle for marketshare.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Authentication measures don't stop phishing | Main | Maturing market - botnets battle for marketshare »

Credit Unions and Phishing Attacks

Brian Krebs yesterday wrote a blog "Data Breach Aided University Phishing Scam" that outlines how criminals work to target credit unions. In his blog he describes the attack "In June 2006, an unknown number of IU students and faculty received an e-mail warning that online bill-paying services attached to their IU Employees Federal Credit Union accounts would be suspended unless they "renewed" their contract with the institution. According to the school's student news outlet, the Indiana Daily Student, that attack netted up to 80 victims."

He then outlines the work a PhD student, Chris Soghoian did to uncover the facts. The blog states the following:
"
Investigators found phishing kits - ready-made scam e-mails and Web pages - designed to target IU students and customers of the Florida Commerce Credit Union and the Sandia Laboratory Federal Credit Union. Both credit unions had been targeted previously. In fact, a phishing scam targeting Florida Commerce surfaced two days prior to the IU scam.

The records provided by the university indicate that the phishers gained access to one or more accounts on the school's "Steel" server, a cluster of systems provided for students and researchers engaged in projects that require serious data and number crunching. According to the university, some 24,000 IU students have access to that server (Soghoian claims that figure is outdated and that the actual number of user accounts on that server is at least 30,000). By downloading the list of user names with access to the server, the attackers would have had a ready list of targets to use in their phishing scam, Soghoian said.

"The fact that the cluster provides login services means that anyone who's logged in can query user names on the system," he said. "The phishers sent their e-mails from Steel as well, from within network, which I'm guessing would have helped them somewhat in bypassing spam filters.
"

Brian then closes off his blog with the following overview of attacks on credit unions:
"
While most phishing attacks target the nation's largest financial institutions, criminals are turning their sights on smaller banks and credit unions whose customers may not be as adept at dealing with these types of scams. In addition, as the attack against the IU Credit Union shows, scams against smaller institutions are more likely to be successful if the phishers have access to e-mail addresses of individuals known be associated with the targeted institution.

Phishers have targeted more than 185 credit unions during just the past two years, and many of them in multiple, separate attacks, according to anti-phishing and security company Websense.
"

My views on this are that credit unions will likely be increasingly targeted over the next two years. Over the last 12 months, attacks against credit unions have risen 584% according to Cyveillance. Most credit unions are easy pickings for the criminals since there membership is small and relatively easy targetable (like the university credit unions in Brian's blog).

While some credit unions have installed or are currently installing multi-factor authentication, this won't stop successful phishing attacks against them. Stronger authentication is bypassed with man in the middle attacks. Criminals get the user to click on a link that directs them to a fake credit union website. Then the criminals take the multi-factor authentication from the user and log on to the real credit union website. After the user thinks they have successfully logged off, the criminals then withdraw amounts from the real credit union site.

There are only two choices for credit unions to mitigate their risk. Transaction authentication and user education.

Transaction authentication looks beyond the successful user authentication and uses several factors to determine if the identity is who they claim to be. This includes examining the IP address, geo-location, time of day, withdraw amount, user history, etc. Transaction authentication will "weed out" the transactions coming from places like Russia and other notorious places. However, criminals are now placing their phishing sites close to the geolocation where they are trying to defraud the financial institutions to pass through the transaction authentication filters.

The other choice is to educate credit union customers. They need constant reminders of the dangers of clicking on links in emails, instant messages or opening up document attachments. Further, they also need to be educated about attacks like vishing where an email is received from their credit union asking them to call a 1-800 number to do something with their account. When the user calls the number, they provide their authentication and account information to what they think is the credit union but in reality it's the criminals they are giving it to.

Credit unions need to realize they are in an arms race with organized crime that is going to increase over the next two years.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on April 17, 2007 8:31 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/207

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)