Last week the first Digital Phishnet Conference in Europe took place in Berlin. Basically Digital Phishnet is an initiative to help to exchange information about Phishing-Sites in order to help enforcement. This is the core mission: Supporting Law Enforcement with information. So the participants are basically able to enter URLs where they are phished on and the system them collects additional information about it and makes it ready for Law Enforcement, where all the participants can add additional information where applicable.
To me the conference showed different things:
- Phishing attacks are getting more and more sophisticated: Malware is involved into almost every attack; we see attacks where the site is downloaded locally, unpacked and displayed locally – thus circumventing most of the countermeasures against Phishing (especially site-takedowns). We just rarely see the classical phishing attack anymore in Europe.
- The most pressing thing to make all the players collaborate. This is easier said as done as groups that historically are not too good in collaborating would have to: Law Enforcement, Banks, Vendors, ISPs, … Even worse: It means sharing of information and trusting each other.
- This directly leads to networks: It is of outmost importance that we immediately start to build international networks. Key players have to know each other and have to want to collaborate.
There are technical means that are important: Things like Anti-Virus/Anti-Spyware and Phishing-Filters in one way or another. Unfortunately the bad guys learn how to circumvent there as well and hence, they become less efficient:
- URL-Filters lose their importance if the attackers start to use malware and/or local webpages. Having this said, it is important to stress that there are still a lot of attacks using classical webpages and therefore the Phishing Filter has to stay but most probably additional functionality has to be built in. The question is: The more we build in there, how do we distinguish between malware-sites and the censoring of the Internet?
- We see targeted attacks. How do the AV-vendors react on this?
This actually leads me to some conclusive statements:
- No one can solve this problem alone: The bad guys are working together as well – so will we!
- Therefore there is a huge need for personal networks! We have to know each other and trust each other. This is the only way to achieve the collaboration
- New approaches are needed. Most often, targeted malware does not make the cut for AV-vendors to include them into their signatures quickly – but this is what we need. If there is malware been built to target one single bank, this bank has to be able to let the AV-vendors include this malware into their signatures fast.
Finally, let's just do it