Home / Blogs

Are Phishing and Malware Separate Threats?

John Levine

Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer that watches the keystrokes you type, the mouse clicks you make, and the windows that appear on your screen, sends them back to bad guy HQ, and even adds or substitutes its own keystrokes and mouse clicks in a way that you can't easily detect.

I like VeriSign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware.

We can usefully distinguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in.

None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you.

The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!)

It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybercrime, Malware, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

The Deep Web and the Darknet - The Nether Regions of the Internet

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

Sponsored Topics

Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias
Port25

Email

Sponsored by
Port25