Phishing volume against UK targets has grown substantially in late 2001. The techniques have matured beyond what I described in May; the operators are more professional; the success rate is reportedly higher.
A short writeup of what is changing.
What is different from May
Four observable shifts.
Targeting is more selective. Earlier campaigns sent millions of indiscriminate emails. Recent campaigns appear to be using demographic targeting — they have lists of likely customers of specific banks, gathered from data leaks, mailing-list compromises, or lookups against marketing data. The recipients are more likely to actually be customers; the response rate is correspondingly higher.
The visual fidelity has improved. Recent phishing pages are essentially indistinguishable from the real ones. The hot-linked-images technique is standard; the CSS layouts match exactly; the URL bar shows a URL that, on casual inspection, looks plausible.
Multi-step workflows. Earlier phishing was a single page that captured credentials and was done. Recent campaigns use multi-step workflows that capture credentials, then a phone number, then a security question, then a one-time code. The depth of capture is greater than basic credentials.
Automated re-use of captured credentials. Captured credentials are now being used within minutes of capture, often automatically. The attackers are running real-time scripts that test captured credentials against the target bank, transfer money where possible, and do so before the victim notices the phishing.
What is the same
The fundamental defensive advice is unchanged:
- Do not click links in emails asking for credentials.
- Navigate directly to your bank's website by typing the URL.
- Verify any unexpected email by calling the bank using a number from the bank's printed material, not from the email.
- Use unique passwords for sensitive services.
- Where the bank offers it, enable two-factor authentication.
The behavioural disciplines have not changed because the attack mechanism has not fundamentally changed. The execution has matured; the defence has not had to adapt much.
What banks are doing
From conversations with people who work at UK banks, the responses I am hearing:
Anti-phishing teams. Banks are setting up dedicated teams that monitor for phishing campaigns targeting their brand, request takedowns of phishing sites, and coordinate with law enforcement.
Customer education campaigns. Banks are sending out messaging to customers about phishing — sometimes useful, sometimes generic, occasionally counterproductive (the email warning about phishing emails is itself an email asking the customer to do something).
Browser-toolbar partnerships. Some banks are partnering with browser vendors to implement special toolbars that visibly indicate the legitimate site.
Two-factor authentication, slowly. Most UK banks have not yet rolled out two-factor for retail customers. Some have for corporate customers. The cost-benefit is shifting; deployment is starting.
What this teaches
The phishing problem is structurally similar to spam — economic incentives favour the attacker, defensive infrastructure is operator-side, the technical solutions are partial.
The specific difference: phishing exploits trust in a way spam does not. The defence cannot just be technical; it has to involve customer behaviour and bank communication. The behavioural piece is harder than the technical piece.
For the next year, I expect:
Phishing volume continues growing. Probability: 90%. Deadline: end of 2002.
Major UK bank takes a serious public hit from a phishing campaign. Probably with substantial customer compensation. Probability: 70%. Deadline: end of 2002.
Two-factor authentication becomes standard for online banking. Across major UK banks, with some kind of token or one-time code mechanism. Probability: 50%. Deadline: end of 2002. Higher probability over a 2-3 year horizon.
More as the year wraps up.