Home / Blogs

Are Phishing and Malware Separate Threats?

John Levine

Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer that watches the keystrokes you type, the mouse clicks you make, and the windows that appear on your screen, sends them back to bad guy HQ, and even adds or substitutes its own keystrokes and mouse clicks in a way that you can't easily detect.

I like VeriSign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware.

We can usefully distinguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in.

None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you.

The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!)

It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybercrime, Malware, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

The Deep Web and the Darknet - The Nether Regions of the Internet

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Sponsored Topics