Ichthyological anatomy, or a study of phish
Michael Morgan IBM CERT A/NZ
This paper describes the progression of techniques at financial fraud using social engineering
and other methods to obtain financial credentials, and proceeds to cover options available
to financial institutions to defend themselves and their clients from exploitation of
stolen credentials.
The examples are based on actual phishing expeditions against international banks and
the steps taken in investigating and responding to these attacks, including the
problems of obtaining a 'get out of jail free' card in such circumstances, and the
embarrassment this might present.
The attacks reported range from emails inviting prospective victims to visit a fake
website, emails incorporating logon processes within themselves, hijacking web-browsing
activity, to keyloggers targeting specific financial institutions.
We conclude with some speculation on future vectors and possible steps to prevent widespread
use of these vectors. These steps cover public education, supplementary authentication factors,
behavioural analysis, and denial of services to potential perpetrators.
del.icio.us 
digg this
