Online security threats remain a major problem for large enterprises and their customers in the Middle East. With multi pronged attacks growing in frequency and sophistication, Sherief Younis discovers what is being done in the Middle East to ensure a secure online environment for customers.
Security experts predict that phishing and malware attacks, password stealing websites and identity theft will increase significantly in 2007. McAfee has added approximately 50,000 new threats to its database since January 2006, and expect to have added a further 225,000 new threats by the end of the year.
With McAfee expecting to identify close to 300,000 threats by the end of 2007, security vendors and in-house security teams at large enterprises are under increased pressure to guarantee online security.
The global dimension associated with threats like phishing means that while these attacks are practically impossible to prevent, they can be regulated and monitored if the right measures are in place.
“We have had phishing attacks where we’ve been able to trace the source of the phishers to countries in this region and additionally, we’ve also encountered and uncovered phishing sites and servers in the region as well. Nobody can actually prevent a phishing attack from occurring but you can prevent it succeeding,” says Ivor Rankin, senior technical security practice manager at Symantec.
The origin of these threats has typically been North America and Europe but the global nature of security threats has initiated a decentralisation process away from these traditional hubs. Security vendor Symantec acknowledges that threats are now emanating from the Middle East with attacks recently traced to the UAE and Saudi Arabia, as well as, Jordan, Egypt and Morocco.
“The volume of attacks in the Middle East is not as significant as it is in other parts of the world - it probably accounts for less than 1% of the global phishing attacks - but in terms of percentage increase, although it’s very hard to quantify, there has been a very dramatic rise,” Rankin adds.
Microsoft’s Global Phishing Enforcement programme, targeting phishers and fraudulent websites, has already launched 97 lawsuits throughout Europe and the Middle East since its inception in March 2006. Despite this aggressive legal posturing, it has not proved to be a failsafe deterrent - phishers have merely selected new regions and targets to exploit instead.
“If we look at the number of phishing attacks that have occurred this year in comparison to previous years, we’ve definitely seen a more concerted effort from the phishing community on focusing and targeting banks in the Middle East. As regulation becomes stricter, phishers are turning to what they see as the next big target or the next soft target,” continues Rankin.
The US Federal Trade Commission (FTC), reports that losses due to stolen information have reached an all time high, with more than 88 million records containing sensitive personal information stolen worldwide since February 2005. Additionally, there were 685,000 consumer complaints in 2005 equating to losses of US$680m.
“Whether attacks emanate from the region or not, it’s who they’re targeting you’ve got to bear in mind. For a bank, being phished is typically a direct result of the value of the brand in the region.
The only thing the bank is guilty of is having a high value brand that makes them a target,” explains Justin Doo, managing director at Trend Micro Middle East and Africa.
“Banks are facing a rather bizarre situation that they’re being held responsible for someone else’s attack,” he adds.
Major financial institutions operating in the Middle East such as Citibank, HSBC and Emirates Bank - regular targets for phishing attacks - have now adopted a proactive stance, frequently reminding customers of authentic company practice through e-mails and on site disclaimers.
“To avoid being phished you should never respond to e-mail messages that request personal or financial information and never click on a link in such an e-mail,” comments Steve Hill, regional information security manager at HSBC Middle East.
Security experts and banks are adamant that creating and maintaining awareness is essential, and are eager to outline the critical importance of educating customers to prevent attacks from being successful in the future.
“User awareness and education is paramount to prevent the attacks from being successful. Education is a big factor,” comments Rankin at Symantec.
Ensuring online security is not a smallscale operation, nor is it cheap for the companies involved, but as business increasingly relies upon the ease of IT technologies and the internet to operate, quality of protection becomes mandatory to protect the business.
“Phishing is an increasingly prevalent scam. It demonstrates how emphasis has moved from the type of robbery where you have to enter the bank premises to that which is based upon technology. This is a reflection of how financial institutions are moving towards technology-based services and we have to pay the price in terms of offering protection. If institutions want to stay competitive then that is a price they have to pay,” adds Hill.
Attempted attacks on MashreqBank, HSBC, Emirates Bank, and National Bank of Abu Dhabi (NBAD) earlier in the year, prompted a response from many banks in the region to enhance their security systems to combat the burgeoning problem.
“A number of banks are definitely looking at some sort of strategy to augment their existing security procedures primarily to protect their users. The fact that a bank has had a phishing attack launched upon them in no way indicates that bank is insecure,” Rankin explains.
“New solutions such as anti phishing technology will detect fraudulent sites and prevent you from connecting to that particular site. Some banks on the other hand, are relying purely on external monitoring services to try and give them an early warning that a new phishing site has emerged with your bank’s information and removes it before the site becomes active. This has proved to be highly successful and cost effective strategy for many banks,” Rankin continues.
Some banks are now deploying sophisticated new tools such multifactor authentication and layered security for online banking customers, while others are using programmes combining mouse clicks and keystrokes to give customers access to their online accounts. However, hackers are countering these advances with screen scrapers and keyloggers deposited by Trojan horses to capture these clicks and entries.
“Banks should be looking at third party authentication,” explains Doo.
“You need something that runs alongside who you are. It’s a human failing that some 80% of people that use online accounts use the same online profile. I would be surprised if the majority of people rigidly used alternative passwords for the different websites they access.
“Third factor authentication, a token or a pass phrase or something that is supplied and authenticated by somebody else, that you hold, would therefore mean anybody attempting to compromise your bank account would need this item to be able to complete the compromise…of course these things would cost money,” Doo adds.
Hill at HSBC adds: “We would like to assure our customers that we have a wide array of tools in our armoury to combat fraud and we are constantly reviewing these tools, systems and processes to improve our protection.
“For our business banking customers we have now introduced a facility whereby a key-fob token is needed to access the business internet banking service. The token has a number that changes every minute, which is used to form a password. It has provided an extremely high level of protection,” he adds.
After the success of the token system implementation in 2006, virtual keyboards and random character checking have both been introduced to prevent malware attacks. HSBC is also looking at security enhancements available with the new version of Internet Explorer. The National Bank of Abu Dhabi (NBAD) has also implemented an RSA token solution for its online banking customers.
The user-orientated nature of the attacks necessitates security vendors to focus on protection as opposed to prevention. In an ongoing battle between phishers, hackers and malware, additional threats are emerging at a rapid pace.
“Unfortunately phishing is very much on the user side of the equation and users are the ones who need to look out for these types of attacks. The banks can raise awareness and fight if the public look at all the security measures available to them, all in all, doing business online ia quite a safe way of transacting,” says Patrick Hayati, regional director at McAfee Middle East.
As computer threats become more sophisticated and security environments become more complex, users and business have to remain vigilant, and expectant, of new threats emerging. Utilising the latest patches and anti-virus software - as well as heeding warnings from the bank - will protect users in the short term, but both vendors and banks are keen to remain proactive in the face of future threats.
“I think the sophistication of attacks will increase. It’s a leapfrogging race; hackers come up with something and security companies counter it with a product. If new hacking technology emerges then security technology has to react. Rather than quantity, I think we will see more sophisticated attacks,” says Hayati As phishing becomes globally recognised, it is expected hackers and phishers will revert to subtler attacks in an effort to obtain bank details with malware, crimeware and Trojans becoming more prominent in 2007.
“In the last few years we have seen specific cases of Trojans that have been designed so that when a customer connects to a particular banking site in that region, only then does it start recording information. As people become more savvy about phishing attacks and fraudulent e-mail, there’s a likelihood that there will be an increase in the amount of malware or crimeware designed to capture banking credentials,” continues Rankin.
“We have seen an increase in the number of malware infections over the last year. These are specifically targeted infections focusing not on a specific bank necessarily but on a pool of banks, some of which may be in our region. The objective here is that it’s a more intelligent attack in that it only records the information when you connect to that website and yet even if you take the due precaution it still means that potentially information could be captured.”
Fortunately for customers, as security threats evolve, so do the counter measures, with vendors taking a proactive stance to mitigate for future threats. Microsoft’s Internet Explorer 7 release includes anti phishing measures in the toolbar while McAfee’s VirusScan Enterprise 8.5i advanced provides new technology that ‘goes beyond simply offering protection from a database of signatures’.
“With dilution services the objective is to feed what appears to be legitimate data into the phishing attack site. The end result is that even if we have legitimate users feeding data into that site, it’s mixed up with invalid data and from an attacker’s perspective, he has no way of determining whether the data is legitimate or not. We would also use Arabised names to make it look like the data had come from the region.
This has proven to be a successful counter measure,” explains Rankin.
Additional techniques include ‘baiting’ phishers and tracking how the stolen data is used and whether it is used for criminal activity.
“Another measure uses what we refer to as ‘bait records’. When there’s an attack that occurs, certain records created in the banking system that are flagged and blacklisted are fed into the phishing site. The objective there is to be able to measure and monitor what they’re doing with the data. If ever we see attempts of banking transactions occurring with any of the bait accounts we’ve created it’s an immediate indicator the phisher has gone one step further – beyond harvesting information he’s actively trying to use the information and in the process he’s now committed a major felony.”
“It also gives us the ability, from a banking perspective to track where the attacker is sourcing the data. It may not be the same person who harvested the data, because he may have sold that information onwards, but at least we can pinpoint and identity the people that are now actively trying to defraud a banking customer,” says Rankin.
Despite the predictions of more Middle East security threats in 2007 and repeated attacks for two years running, awareness is high. Although the majority of online threats cannot be prevented, they can be controlled and rendered ineffective if enterprises and end-users take the right precautions and follow rigorous procedures.
“I think we’re going to see 2007 as quite a year of development,” says Doo, “We’re going to see a plethora of new threats and we’re already seeing some of them now, like malware that operates within the shells of IE 7.
There’s going to be increased focus as to how we can secure and make the internet safer. There are people out there who want access to customers’ PCs,” concludes Doo.