FROM THE EDITOR
Phishing surge causes concern[by Eric B. Parizo, Senior Site Editor]
eparizo@techtarget.com
Here at SearchSecurity.com, we've been tracking phishing attacks for years, but this month's headlines leave little doubt that phishing has reemerged as a top-of-mind threat to enterprise information security.
Proving just how widespread and pervasive organized phishing has become, just a couple weeks ago the FBI and Egyptian authorities announced they had charged nearly 100 people in the U.S. and Egypt with allegedly sending out phishing email messages that directed victims to malicious webpages cloaked as legitimate banking sites. It was the largest number of defendants ever charged in a cybercrime case, and it's merely the tip of the iceberg.
Earlier this month, we reported that gangs of cybercriminals have fueled a dramatic increase in new phishing websites and rogue antivirus programs, and the number of unique phishing websites is closing in on an all-time high. InGuardians' Ed Skoudis said in a recent edition of our Security Wire Weekly podcast that attackers continue to use spear phishing Web content and emails to exploit individual client machines, and from there can easily gain access to any other enterprise resource -- including servers and databases with sensitive or mission critical data.
With so many ways to distribute phishing attacks -- email, websites (both legitimate and rogue) and emerging methods like social networking services -- experts say that the average Internet user could come face to face with a phishing attack at virtually any moment. The digital underground knows how much money stands to be made from phishing, and attackers keep cashing in -- often at the expense of enterprises that haven't mounted a proper defense.
So where should a defense against phishing begin? Security expert Eric Ogren argues that technology -- such as the use of SSL and certificates, as well as security-aware DNS services -- can help, but enterprise security organizations must launch their own user-focused antiphishing programs. Show end users what recent and proven phishing attacks look like, and do so often; getting users' attention regularly is the only way to enforce good habits. For those enterprises looking to take phishing prevention to the next level, expert Sherri Davidoff has advice on how to use social engineering tests to prevent phishing attacks.
Phishing isn't going away anytime soon, so invest the time now to make sure your enterprise has its antiphishing strategy in place. I've included a few more helpful resources below.
Stay safe out there,
Eric
