DETECT MONITORING SERVICE AND THE ART OF RAPIDLY DETECTING AND ELIMINATING PHISHING THREATS

Summary As it is often stated, time is money, and this is above all true when it comes to online fraud. It is no secret that the longer a phishing attack stays live the more losses accumulate, often exponentially. Therefore, it is a business imperative to quickly identify and eliminate these threats. As phishing attacks become more sophisticated, it has never been more important to employ solutions that have proven track records of preventing fraud. Detect Monitoring Service (DMS) from Easy Solutions is a product that has consistently, year over year, detected and eliminated phishing attacks at industry leading rates, saving businesses time, but most importantly money.

TABLE OF CONTENTS

The Costly Progression of Phishing Attacks

The Evolution of Phishing Attacks

Approaches to Combat Phishing

1

2

3

4

w w w . e a s y s o l . n e t2

Detect Monitoring Service from Easy Solutions: An Innovative Approach to Proactively Eliminate Phishing Attacks

Phishing attacks escalate exponentially, attempting to rapidly trick as many users as possible before

takedown. It is critical to quickly detect and eliminate threats before losses accumulate.

Phishing has a rich history dating back to AOL in the 1990s, however it is now a much more

sophisticated process. In addition to top brands, phishers have branched out to include school

districts, hospitals, insurance companies, governments, and even online security vendors as

potential targets.

An analysis of the current anti-phishing solution landscape, which includes email filters, spam feeds,

domain registration monitoring, internet scanning, education, and browsing tools.

An introduction to Detect Monitoring Service (DMS) from Easy Solutions. Discover the methodology

of DMS along with its proven historical results, established Return on Investment (ROI), and new

extended features such as Brand Intelligence and Website Defacement Monitoring.

5 About Easy Solutions

Easy Solutions is the only security vendor focused on the comprehensive detection and prevention

of electronic fraud across all devices, channel and clouds.

$0

$5.000

$10.000

$15.000

$20.000

$25.000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

1

2

3

4

5

6

7

9

8

10

0

Total Victims Cumulative CostThe Costly Progression of a Phishing Attack

HOURS

w w w . e a s y s o l . n e t3

1

Time orders events from the past through the present into the future. Every day, businesses use the concept of

time in defining revenue growth. Time is money.

While the time is money dynamic governs businesses, it also dictates the art of phishing. Phishers, just like any

of us, have 24 hours in a day to operate. They identify target brands and unleash swift and prolific attacks to earn

their paychecks. They are acutely aware that the more time their virtual assaults stay active on the net, the

more money they stand to gain.

THE COSTLY PROGRESSIONOF PHISHING ATTACKS

Total email addresses targeted

100,000

% of emails filtered to spam

95% 5000 Reach Inbox

% who open email

50%

2500

% who read email and click

1%

25

Of those who click, % who falls for attack

45%

11.25

Total Victims 11

Average cost per compromised account $ 1,800.00

Personnel costs at institution per hour $ 200.00

-

-

Graph Figures and Assumptions

w w w . e a s y s o l . n e t4

2THE EVOLUTIONOF PHISHING ATTACKS

Phishing has been around since the 1990s and the AOL “You've Got Mail” days. Using the AOL Instant

Messenger and email system, phishers posed as employees and requested that users verify billing information.

Even though these first attacks contained egregious grammatical and spelling errors, many proved successful

because Internet users were so naive at the time. Why wouldn't they be? This was a whole new ballgame.

Fast forward to today and let's examine how the phishing landscape has evolved. While many of the same AOL

principles apply, phishing has become a much more targeted, streamlined and lucrative craft. In fact, there is

now a whole list of specialized phishing attacks.

Spear Phishing Directed at specific individuals or companies

Clone Phishing Uses previously sent legitimate emails but includes malicious attachment

Vishing Attack medium is phone calls

Smishing

Attack medium is text messages

Whaling Directed at senior executives and high profile individuals

Minnowing Directed at kids of senior executives

Pharming Practice of redirecting users to phishing websites

Man-in-the-Middle Active eavesdropping between user and business

Man-in-the-Browser Active content injection between user and host web application

Online criminals are still storming ISPs and email providers, but they are also honing in on financial services and

online shopping sites. This trend is obvious in the following table:

Phishing Terms

w w w . e a s y s o l . n e t5

2THE EVOLUTIONOF PHISHING ATTACKS

Financial Services WebMailers Online Shopping Sites

Company Phishing Websites Company Phishing Websites Company Phishing Websites

PayPal

18947 AOL 1475 Taobao 1691

Wells Fargo

2049

Yahoo

1349

EBay

504

Visa 1661 Hotmail 1205 Amazon 251

Citibank 1628 Gmail 1200 Alibaba 150

Bank of America 1477 Others 188 Littlewoods

MasterCard 968

Chase 656

Bancolombia 369

Natwest 324

Cielo 310

(SOURCE: TrendMicro)

Top Phishing Targeted Brands for December 2012

While the bigger enterprises absorb the main body blows, we have learned that any business is a potential

target. School districts, hospitals, insurance companies, governments, and even online security vendors have

all been victims. We also know that phishing attacks continue to increase, and that phishing attack subject lines

often use a security front to fluster email recipients.

APWG Attack Totals, 2009 - Presents

150.000

100.000

50.000

1H2009

2H2010

2H2009

1H2010

1H2011

2H2011

200.000

1H2012

Top Five Phishing Email Subject Lines

Your account has been accessed by a third party

(Bank Name) Internet Banking Customer Service Message

Security Measures

Verify your activity

Account security notification (Source Websense)

Reported Total Phished Brands in 1H 2012

150

100

50

300

250

200

350

400

450

Jan Feb Mar Apr May Jun

370

392 392

428

400390

w w w . e a s y s o l . n e t6

2THE EVOLUTIONOF PHISHING ATTACKS

Now more advanced phishing techniques are also employed, with cybercriminals using malware to redirect

unsuspecting users to phishing sites. Even when the correct web address is typed into the navigation bar, the

underlying IP address can be tampered with. These more advanced tactics are much more difficult to detect and

eliminate. One thing is certain, phishing attacks are here to stay and cybercriminal tactics will continue to

evolve.

SOURCE: APWG

Email Filters

What

Filter detects certain email characteristics (bulk sending, IP sources, fraudulent email addresses) and sends phishing emails to spam folder

Pros

Can filter high percentage of phishing attacks; easy to deploy

and manage at enterprise level

Cons

Can send

"good" email to spam folder; cannot filter all phishing attacks especially spearphishing; difficult to enforce at end user level

Spam Feeds

What

Vendors get access to and analyze spam folders to detect phishing attacks

Pros

Contain loads

of data and can detect many phishing attacks

Cons

Spam folders do not detect all phishing attacks, especially spearphishing; requires access to numerous spam feeds; may not be real-time

Domain Registration Monitoring

What

Monitors domain status, domain registrar, domain expiration dates and domain name server activity

Pros

Can sometimes anticipate phishing attacks when alerted of domain activity; real-time

Cons

Some phishing attacks targeting your brand may not resemble your domain and thus go unnoticed

Internet Scanning

What

Web crawler programs that methodically monitor the web

Pros

Automated process that covers a lot of ground quickly

Cons

Often low sensitivity levels; may not be performed in real-time due to sheer size of web

Education

What Social engineering assessments using mock phishing attack exercises

Pros Can reduce risk of employees falling victim to phishing attacks dramatically; addresses spearphishing targeting employees

Cons Does not protect end users and spearphishing always a threat

Browsing Tools

What Browser based security plug-in that monitors end user online session

Pros Goes beyond traditional anti-virus technologies; can alert user to phishing attacks in real-time

Cons Requires end user installation, often does not shut down attack which can still affect users without plug-in

w w w . e a s y s o l . n e t7

3APPROACHES TO COMBAT PHISHING

So what can be done? If you have ever

searched “anti-phishing service”, you

probably felt overwhelmed with the results.

Page after page, you see a diverse set of

vendors claiming to be phishing prevention

specialists looking to provoke a mouse click.

Much like many other searches conducted on

the Internet, a thorough analysis is a must to

get past the smoke and mirrors. Once the

dust settles, one will discover that anti-

phishing strategies range from email filtering

to education to Internet scanning. Solutions

come in the form of products or services.

Some vendors tackle phishing for internal employees while other companies address the end user level. Below

is a table that summarizes main strategies.

Strategies to Detect, Prevent and/or Mitigate Phishing Attacks

w w w . e a s y s o l . n e t8

No approach can guarantee a phisher will not hijack a brand, so stick with the golden rule that time is money.

Limit attack uptime and you reduce funds out the door. A service that lauds a fast deactivation time might sound

tempting, but this number refers to the time it takes to shut down a phishing site AFTER it is detected. What

about the time it takes to detect an attack? Take for example an incident that goes unnoticed for the first 60

hours. After detection, it takes 5 hours to deactivate. Easy math shows that the attack had a lifespan of 65 hours.

And while no one is holding a stopwatch once an attack goes live, it is imperative to select a solution that can

demonstrate early detection.

Most of the previously mentioned approaches are reactive, meaning that they spring into action after a

cybercriminal has already formulated and launched an attack. Take for example email filters, sure they do a

great job at filtering most unsophisticated phishing emails to spam, but the fact remains that by the time a

cybercriminal has sent those emails the target website has already been scraped and a counterfeit website is

live online. Spam feeds are another great tool, but again they are reacting to a problem not proactively seeking

out a solution. By the time a phishing email reaches a spam folder, security professionals are already a step

behind.

3APPROACHES TO COMBAT PHISHING

.:: Takedown is Only Part of the Equation

Simply reacting to phishing attacks is a passive approach to combating fraud, and most security executives are

sick of feeling exposed. “A lot of CISO's are tired of always playing defense in the sense of I'm stuck, I'm

vulnerable, I'm visible, and everyone can take shots from me from any direction,” says John Muir managing

director of the Security Innovation Network. Security executives should instead seek out solutions that are

truly proactive, solutions that give them a clear indication of when they are being probed for a possible attack - a

solution like Easy Solutions' Detect Monitoring Service, the most comprehensive monitoring service in the

landscape of online fraud.

.:: Controlling the Field of Attack

Eric Chabrow, “Deciding What Wares to Buy and From Whom,” Bank Information Security, November 8, 2012, <http://www.bankinfosecurity.com/deciding-

what-wares-to-buy-from-whom-a-5275/op-1>

1

1

w w w . e a s y s o l . n e t9

4DETECT MONITORING SERVICE FROM EASY SOLUTIONS:

AN INNOVATIVE APPROACH TO PROACTIVELY ELIMINATE PHISHING ATTACKS

Understanding that time is money for our clients, Easy Solutions' Detect Monitoring Service (DMS) uses a novel,

proactive approach to detect phishing attacks. While DMS utilizes traditional detection avenues such as domain

watching, 3rd party data feeds and secure browsing for evidence of new attacks, it also tactically monitors the

protected client's website. The continuous scrutiny of the protected website is what distances DMS from other

solutions.

DMS monitors every incoming visitor connection to the protected site in real time. A powerful proprietary

statistical correlation engine then qualifies each connection, searching for suspicious activity. Why does this

matter? Because phishers themselves browse websites during the early phase of an attack lifecycle, and DMS

agents are immediately notified. That's right; phishers must first identify brands to target, gather intelligence

and scrape websites before they can launch full-blown attacks. DMS expertly takes advantage of this fact, and

sends alerts when suspicious patterns are detected.

.:: DMS Website Monitoring – How it Works

DMS monitors the website's pulse

Generated Alerts

MonitoredConnections

Mechanisms engaged in DMS website monitoring account for 65% of all attacks detected. What this

underscores is that DMS website monitoring plays a critical role in curbing attacks. In 2012, the DMS team was

able to proactively detect 71% of phishing attacks, meaning they found them before a client or their customers

were even aware an attack existed. Once an attack is detected, DMS averages an industry best 3.6 hours to shut

it down. Only by optimizing both detection and shutdown times will phishers be deterred from attacking your

brand. In the perennial tug of war battle, enterprises with DMS start to pull away while phishers surrender and

find easier replacement targets.

w w w . e a s y s o l . n e t10

When the DMS agents receive alerts, they instantly investigate and track ensuing activity. When and if an attack

actually goes live, prepared agents work 24x7x365 to quickly shut it down. All steps of the pursuit - from initial

detection to final shutdown - are detailed in the cloud-based customer portal. Executive, technical and incident

reports are all available.

.:: What Happens Next

4DETECT MONITORING SERVICE FROM EASY SOLUTIONS:

AN INNOVATIVE APPROACH TO PROACTIVELY ELIMINATE PHISHING ATTACKS

*Anti-Phishing Working Group 2H 2010

Average Time to Shutdown Phishing Site

EasySolutions 3.6 Hours

Global*

23.2 Hours

5 10 20 30

*APWG - 1H 2012

.:: Proven Results and ROI

Number of Phishing Attacks per Month

Jan

150

100

50

Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

300

250

200

350

w w w . e a s y s o l . n e t11

Example of a new DMS client's attack profile. Phishing attacks dramatically reduce throughout the

year due to optimized detection and shutdown times. Phishers become frustrated with brief attack

lifespans and move to other targets.

4DETECT MONITORING SERVICE FROM EASY SOLUTIONS:

AN INNOVATIVE APPROACH TO PROACTIVELY ELIMINATE PHISHING ATTACKS

w w w . e a s y s o l . n e t12

$0

$5.000

$10.000

$15.000

$20.000

$25.000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

1

2

3

4

5

6

7

9

8

10

0

Total Vicitms Cumulative CostDetect Monitoring Service ROI

HOURS

Aside from phishing, DMS is stacked with additional layers of protection. DMS monitors the website for

defacement, availability and DDoS attacks. Both the SSL Certificate and DNS are continuously watched and

validated. Branding alerts are generated when the protected business is mentioned in social media such as

forums, blogs and Twitter. All of these features are managed in the cloud based portal and make DMS the most

powerful fraud mitigation service in the industry.

.:: Detect Monitoring Service Extended Features

4DETECT MONITORING SERVICE FROM EASY SOLUTIONS:

AN INNOVATIVE APPROACH TO PROACTIVELY ELIMINATE PHISHING ATTACKS

Industry average to shutdown attack is 23 hoursDMS saves $17K on

average per attack

DMS shuts down attack in 3.6 hours

w w w . e a s y s o l . n e t13

The days of wasting time before reacting to phishing attacks are over. DMS provides security professionals a

powerful tool to monitor their website and transactional pages for suspicious activity in real time. This ability

coupled with industry leading attack takedown times all managed from an easy to access cloud based portal

clearly make DMS the strongest fraud monitoring tool available. DMS is a powerful component in the Easy

Solutions Total Fraud Protection® strategy: A multi-layered approach which posits that there is no one single

silver bullet solution for all electronic fraud problems, but rather a variety of solutions that seek to

systematically thwart fraud across different transactional channels and at any stage of a fraud incident. This

cutting-edge, holistic strategy includes different products offering services related to phishing and pharming

prevention, multi-factor authentication, and the detection of anomalous transactions.

.:: Detect Monitoring Service in Total Fraud Protection®

4DETECT MONITORING SERVICE FROM EASY SOLUTIONS:

AN INNOVATIVE APPROACH TO PROACTIVELY ELIMINATE PHISHING ATTACKS

Social

DMS Cloud-Based Monitoring and Management

SSL DDoS &Defacement Mobile App

Phishing Pharming/DNS Malware

ABOUT

EASY SOLUTIONS

5

w w w . e a s y s o l . n e t14

Copyright ©2013 Easy Solutions, Inc. All rights reserved worldwide. Easy Solutions, the Easy Solutions logo, DetectID, DetectID in the Cloud, DetectID in the Cloud for SugarCRM , DetecTA, DetectCA, DetectID Web Authenticator, Total Fraud Protection, Detect Safe Browsing, Detect ATM, Detect Monitoring Service, Detect Vulnerability Scanning Service, Detect Social Engineering Assessment, Protect Your Business and Detect Professional Services are either registered trademarks or trademarks of Easy Solutions, Inc. All other trademarks are property of their respective owners. Specifications and content in this document are subject to change without notice.

Easy Solutions in the only security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our Total Fraud Protection® platform protects against phishing, pharming, malware, man-in-the-middle and man-in-the-browser attacks, and delivers multifactor authentication and transaction anomaly detection.

The online activities of 24 million customers of 80 leading financial services companies, security firms, retailers, airlines and other entities in the United States and abroad are protected by Easy Solutions fraud prevention systems. Easy Solutions offers a one-stop shop for multiple fraud prevention services.

Headquarters:

Latin America:

1401 Sawgrass Corporate Parkway, Sunrise, FL 33323 – Tel. +1-866-5244782

Cra. 13A No. 98 – 21 Of. 401 Bogotá, Colombia – Tel. +57 1- 7425570info@easysol.net

www.easysol.net