Michael Morgan IBM CERT A/NZ
download slides (PDF)
This paper describes the progression of techniques at financial fraud using social engineering and other methods to obtain financial credentials, and proceeds to cover options available to financial institutions to defend themselves and their clients from exploitation of stolen credentials.
The examples are based on actual phishing expeditions against international banks and the steps taken in investigating and responding to these attacks, including the problems of obtaining a 'get out of jail free' card in such circumstances, and the embarrassment this might present.
The attacks reported range from emails inviting prospective victims to visit a fake website, emails incorporating logon processes within themselves, hijacking web-browsing activity, to keyloggers targeting specific financial institutions.
We conclude with some speculation on future vectors and possible steps to prevent widespread use of these vectors. These steps cover public education, supplementary authentication factors, behavioural analysis, and denial of services to potential perpetrators.