Don’t Get ‘Hooked’

• By Wendy Chretien
• 04/21/06

Phishers are starting to focus their attacks on higher ed institutions. Here’s how to bolster your line of defense.

IT’S TEMPTING TO BELIEVE that the phenomenon known as phishing is not a big deal in the education environment. After all, isn’t it targeted at individual consumers using the Net? Unfortunately, this isn’t the case anymore.

To step back for a moment, a definition of phishing might be helpful. Phishing is an attempt to hoodwink a user into providing confidential information via the Net. Until recently, it has mostly been in the form of e-mail “urgent notices” that appear to be from an organization the consumer uses (such as a bank), with instructions to click on a link and provide some missing or incorrect information. Such info may include Social Security numbers and other identifying data. Yet of course, the link is not to the real organization’s Web site, but a replica thereof. And the information input by the unsuspecting user can be used to steal his/her identity. Some big-time phishers sell this personal information to other criminals who have organizations that more effectively and quickly exploit it.

So why should higher ed institutions worry about this? What threat d'es phishing pose? Simply put, the phishers are getting more focused. Some are now able to make it look as though an e-mail is coming from within your own organization, and may pose as someone in the Student Records office or IT. The message may have a key logging program attached, which can capture the user’s password. The next step is to “become” that user and gain access at his/her level of authorization. Imagine the implications if the phished user is a supervisor in Accounts Receivable!

Indeed, these types of attacks targeted at specific organizations, also known as “spear phishing,” are beginning to be reported by higher education institutions, including the University of Kentucky (as reported in “Threat Alert: Spear Phishing,” PC World, Nov. 2005). The federal government (especially the Federal Trade Commission) is starting to respond to the threat, yet as we might surmise, this isn’t going to prevent phishing from happening but, rather, it will set prosecution of the perpetrators in motion—after an attack has run its course. It’s up to us to take preventative measures.

You Can Prevent Phishing

Since phishing is a form of social engineering—dependent upon the manipulation of legitimate users—the first line of defense is your users. You need to educate them that their response to a message seeking private information should be to 1) not respond to the message, and 2) use a separate e-mail or make a call to the person from whom the message appears to originate, verifying the validity of the request. If users discover a message is false, their next step should be to report it to the IT Help Desk.

The second line of defense lies in preventative solutions. Because phishing is a form of spam, your current anti-spam measures should minimize phishers’ access to your users. One example is Florida Coastal School of Law, with a student enrollment of approximately 1,200. This relatively young institution (founded 1995) used assistance from CDW-G to help it select an anti-spam solution. The school ultimately implemented Postini (www.postini.com), an application service provider (ASP) for e-mail services. FCSL has had this service in place for about eight months, and it is “catching a phenomenal amount of spam,” according to Allen Smith, the school’s director of Information Technology. Prior to Postini, FCSL used the Microsoft Exchange Intelligent Messaging Filter (IMF), but had to turn it off because it caught too many legitimate e-mails, even set at the least sensitive level. In fairness to IMF, Smith notes that a law school deals with content that would in other cases be considered highly “filterable.” Nevertheless, this issue has been resolved with the Postini service. As part of the setup, FCSL provided Postini with its e-mail records and IP addresses. Then the college staff spent the necessary time to learn to use and configure the service properly. While the Web interface is very user friendly, it also has great depth, Smith reports, so there was a significant learning curve. FCSL’s cost for the Postini service is $32,000 per year.

Some anti-spam vendors are now releasing products or updates that specifically target the phishing threat. These include (in no particular order) McAfee’s SpamKiller, MailFrontier’s solutions, Identity Cues from Green Armor Solutions, and Cloudmark solutions. Then there are the hosted solutions like Postini and MarkMonitor, the latter of which features an Anti-Fraud Operations Center that proactively pursues phishing sites and shuts them down.

The bad guys keep adapting to risk avoidance techniques, so consider your vulnerabilities and phishing prevention options carefully. But for your users’ sakes, don’t let “analysis paralysis” postpone an implementation for long. They need your help now to avoid being hooked (and gutted) by the phishers.