One morning, you receive an e-mail notification from your bank that states it needs to update your credit card data. A fill-in-the-blanks form is attached that asks for information like your address, phone number and password, so you complete it, and hit the Send button.
A week later, you are at the hardware store and proceed to charge a few cans of paint. After the cashier unsuccessfully tries to place the charge on your card, you fumble for a few dollars to pay for the paint and rush home to call your bank, which tells you that your credit card has been overextended by a slew of purchases during the week.
After hanging up the phone, you realize that you are the latest victim of phishing, a scam that is sweeping across the Internet.
Phishing is the process whereby criminals design e-mail notes and Web sites that resemble those from legitimate sources, such as online merchants, Internet service providers or financial institutions. When unsuspecting individuals respond to the seemingly legitimate messages, they send their confidential data to criminals’ Web sites rather than to genuine companies. With this information, the phisher can gain access to an individual’s account or perpetrate identity fraud.
Major Increase
Phishing is reaching epidemic proportions. The Anti-Phishing Working Group (APWG), a vendor consortium trying to address the problem, received reports of more than 1,100 unique phishing campaigns in April, a 178 percent increase from the previous month and a 4,000 percent increase from November 2003.
A Gartner Group study, also completed in April, estimated that more than 57 million Americans, representing 40 percent of all online users, received a phishing e-mail, and 76 percent said the attack had taken place in the last six months.
The ploy is gaining momentum for a couple of reasons. Like spam, phishing is technologically simple. Illicit e-mail lists have been available for years online, and so it becomes quite simple for crooks to send out massive mailings quickly and economically. Mimicking a vendor’s correspondence is as easy as downloading a few logos and then inserting bogus information into a message. In fact, software kits that help criminals do this are now readily available on the Internet.
Some of the kits are focusing on more sophisticated attacks. “We’ve seen examples of phishing where users are asked to respond to notes from vendors about steps users should take to protect themselves from phishing attacks,” said Shawn Eldridge, chairman of the Trusted Electronic Communications Forum (TECF), another vendor consortium examining the issue, as well as director of marketing at security supplier PostX.
Easy Success
The various schemes do not need a large percentage of individuals to fall for the ploy for it to be successful. Gartner Group analyst Avivah Litan estimates that 3 to 5 percent of users are duped by phishing schemes, and that number translates to 1.7 million to 2.7 million users in the United States.
As a result, interest has spread from hackers to organized crime. “Vendors report that about half of the phishing attacks take place overseas, in areas like Eastern European countries, and there is growing feeling that some of the attacks are being orchestrated by organized crime rings,” Gartner Group’s Litan told TechNewsWorld.
The crooks are hard to catch. “With the nature of the Internet, it is very easy for individuals to pack up and move to another Web site,” said Pete Lindstrom, research director at Spire Security, a security consulting firm.
As a result, corporations are starting to pay close attention to phishing. “Depending on the industry, phishing ranks as either the top or the second highest IT priority,” TECF’s Eldridge told TechNewsWorld.
Corporations are concerned because irate consumers hold them responsible for the activity. Also, companies do not want customers to lose trust in the Internet and go back to inefficient manual techniques.
Financial Institutions
Not surprisingly, financial institutions are most concerned about the problem. The APWG found Citibank was the most popular site targeted in April, accounting for 475 campaigns. EBay was the target of 221 unique phishing campaigns, and 135 other attacks were geared at its PayPal subsidiary.
At the moment, the corporations are a bit hamstrung in their fight against phishing. “There is no technological silver bullet that companies can fire that will eliminate the problem,” TECF’s Eldridge stated.
Corporations agree that stronger authentication between users and companies is needed. To date, technologies like Public Key Infrastructure (PKI) have proven too cumbersome to implement, and groups geared to having companies set up common authorization mechanisms, such as the Liberty Alliance, have not gained much acceptance. Vendors are now tinkering with a handful of options, but no one expects them to gain significant acceptance for a few years.
As the technology slowly evolves, the U.S. government has quickened its pace in the fight against phishing. In the spring, the Federal Trade Commission (FTC) and the U.S. Department of Justice went after a crook who was mimicking America Online and PayPal sites. The FTC charged Zachary Keith Hill of Houston with deceptive and unfair practices, and the Justice Department named Hill as a defendant in a criminal case it filed in Virginia.
Suppliers also are trying to educate consumers about the problem. While TECF’s Eldridge rates awareness among corporations as almost universal, he admits that “it is not very good” among consumers.
Yet consumers are inundated with many other important messages, especially during an election year, and many are not technologically savvy enough to understand when a phishing attack might be taking place. So a fix will probably have to come from vendors.
“In the next six months, the number of phishing incidents will probably rise significantly,” Gartner Group’s Litan concluded. “Eventually vendors will be able to shop them, but unfortunately by then the criminals may be focused on a different type of scam.”
As someone working at a webhosting company who offers a free trial service we see a steady stream of such scams. We also see the originating IP addresses, and a number of other details. Including the small numbers of people who usually fall for each one.
Our steady stream consists of, I suspect, one person in Texas, one person in Romania, and one person in Brazil (who wants you to install very suspect Windows executables, so not technically phishing). Possibly one AOL subscriber who has a bit more clue about how to hide his tracks, but not much more clue.
The various big online sites and banks are quick to jump on these sites, but we are very rarely, if ever, approached by law enforcement bodies for copies of logs.
As such I’d be surprised if much organised crime was involved, and given one of these Romanians was working out of the same Internet Cafe each time, if anyone had tried to catch him it would probably take one detective with a mobile phone, and a couple of days. Heck the detective could probably just stop there for regular coffee breaks and sort this one on his time off.
The problem here is that law enforcement isn’t attempted, for whatever reason, not I suspect that it is difficult to do. Compared to other crimes, Internet crimes can, and do, leave a surprisingly detailed trail, usually with exact dates and times.