Home    Victim´s Story   Fraud Prevention    Project GSO   Hall of Shame   LINKS  

Global Scambaiting Forum  

 
 

 

 

 

 

 

 

 






ONLINE CRIME: A Booming Business



All About Phishing



PHISHING - New lures could snare more users

 

"Phishing is a two time scam".

"Phishers first steal a company's identity and then use it to victimize consumers by stealing their credit identities."


Just as people are getting wise to e-mail scams that try to trick them into giving up personal information, the con artists behind them are becoming craftier.

These online swindlers, known as phishers because they fish for people's private data to commit fraud or steal their identity, are using new technical tricks that can fool even experienced Internet users.

"The attackers are much more sophisticated than we've ever seen before," said Karl Jacob, chief executive of San Francisco anti-spam firm Cloudmark, which monitors and fights phishing.

At the same time, phishing is growing faster than any other online threat, security companies warn. The number of unique phishing e-mail attacks increased by 1,400 percent in 2004, according to MailFrontier, a Palo Alto e- mail security company.

Phishers have stolen $300 million to $400 million in the past year through unauthorized bank account transfers, estimates Avivah Litan, an analyst with research firm Gartner. The banks generally end up reimbursing customers for those losses.

Dan Hubbard, head of security labs for San Diego's Websense, called phishing the perfect crime.


"Clearly there is quite a bit of money to be made," he said. "Also, it is very easy to do. Basically, with a PC and Internet connection and a little smarts, you can create an attack. Finally and most importantly, it's very difficult to catch the people."
The growing sophistication and volume of phishing attacks come at a time when more Americans than ever are taking their finances online. A quarter of all adults, or 44 percent of Internet users, now use Internet banking, according to the Pew Internet American Life Project.

A phishing attack typically goes like this: A user receives an e-mail claiming to be from the person's bank, credit card company or other business. The message urges the user to click on a link in order to verify his or her account information. The link leads to a Web site that looks legitimate but isn't. There, the user enters private data -- like a password, credit card or Social Security number -- which the scammer steals.


In the past, many phishing e-mails contained misspelled words and contorted phrasing -- telltale signs of something suspicious. Now, many phishers have perfected the text and images in their e-mails and Web sites to look professional and realistic.


That's only the beginning of the deception.

Savvy Internet users once could determine if the Web site was a fake by checking the address to see if it looked unusual. But during the past few months, phishers have used programming tricks to hide the true address of the site they send you to, said Andrew Klein, MailFrontier product manager.


In one new trick, the scammer blocks the address window of the fake Web site by creating a long, narrow pop-up window that sits right over it. So when the victim receives an e-mail purportedly from CitiBank and clicks on the link, he ends up on a site that may have the address www.fakecitibank.com, but it appears that the site's address is the legitimate www.citibank.com.


Masking the site

In another ruse, clicking on the link in the scam e-mail can send the user to CitiBank's real Web site, but an extra pop-up window will float in front of the page, asking for your account information. In this case, the Web site is legitimate, but the pop-up window -- where the consumer enters his user name and password -- is bogus.


Some phishers have even hacked companies' real Web sites in order to redirect users from a page on the legitimate site to a fake site. According to British Internet security company Netcraft, Citizens Bank, Visa, MasterCard and SunTrust have all been victims of this kind of hack in the past four months. All the institutions quickly fixed the security flaw, Netcraft spokesman Paul Mutton said.


"These guys are much better than I thought," said Stratton Sclavos, chief executive of Mountain View security company VeriSign, in a recent interview. VeriSign secures Web sites and monitors Internet transactions for fraud.


Some phishing e-mails can steal your account information even if you don't type it in. These e-mails come with an unseen program attached to them. When the recipient clicks on a link or possibly just opens the e-mail, a Trojan horse program is downloaded to the person's computer.


The program runs quietly in the background until the user visits a bank or some other password-protected site. Then it records the account number and password and sends them to the thief who sent the e-mail.

The Anti-Phishing Working Group warned this month of another tactic, known as pharming, in which hackers redirect victims to a scam site when the real Web site of a bank or other business is typed in. In this trick, there is no e-mail at all -- it's like you're kidnapped on the way to your bank and taken to a fake bank that looks real.


'Beyond your control'

When the scams get this good, it's no surprise that people who thought they knew what they were doing online sometimes fall victim, Gartner researcher Litan said.

"You're not really falling for it," she said. "It's beyond your control."

The advances in phishing are an example of how the line is blurring between hackers and common criminals. Traditionally, hackers exploited software vulnerabilities out of curiosity, not for profit. But now people with hacking skills are increasingly using them for profit, and criminals are picking up technical tricks.


"These aren't the old-style hackers who were doing a lot of this for entertainment," said Ken Silva, vice president of network and security at VeriSign. "There's actually money to be made" on the Internet now.

According to Gartner, 41 percent of American adults on the Internet believe they have received phishing e-mails. Some people who respond to these e-mails -- like Marty Hogan of Hercules -- quickly realized their mistake and took action to prevent it from leading to identity theft.


Flagging credit reports

Hogan, a landscape architect for Caltrans, had already typed in his Social Security number and hit send on a purported eBay account confirmation page when he realized that eBay probably would not ask for that information. He contacted all three credit reporting agencies and flagged his credit reports so that no one could open a new credit account in his name without contacting him.


He was notified by the agencies of several attempts to get information about him, which were turned down. He says those attempts may have been made by the person or people who stole his Social Security number. Having flags on his credit reports did make it inconvenient for him to get a mortgage when he later bought a home, Hogan said.


Many people are not so lucky. Gartner's survey found that those who said they had received a phishing e-mail were three times more likely to be victims of identity theft than others.

Identity theft, when someone applies for credit in your name, isn't the only goal of phishers. Richard Knapp, a Mill Valley antiques dealer, fell prey to a phisher who used his AOL account to send out pornographic spam.

Within hours after he had responded to the phisher's request for his account information, "I started getting some very vitriolic e-mails from irate females," he said. "It was a good thing there was a phone line between us because otherwise I would probably be skewered."

Another tactic is to get the victim's eBay name and password to conduct fraudulent auctions. That's what Francisco Chacin of Hialeah, Fla., did in 2002 and 2003, according to legal documents.

Chacin was sentenced in May to 30 months in federal prison for offering items he did not have for sale on eBay, using accounts he got through phishing. He collected the money for the auctions but never delivered merchandise.
Chacin also sold or tried to sell eBay account information he got through phishing to other would-be thieves on the Internet, according to legal documents. There is plenty of this kind of information for sale on underground Web sites such as the Network Terrorism Forums.

"1700+ Feedback ebay account ... 90%+ positive," reads a for-sale posting dated November 2004 on the online criminal forum.


Online underworld

The purchase and sale of the spoils aren't the only ways that today's phishers are plugged in to the loosely organized online criminal underworld. All the tools one needs to become a phisher -- the e-mail come-ons, the fake Web sites and even spamming services to send the messages -- are for sale on online black markets.


The way that phishing e-mails and many other spam e-mails are sent is another example of the increasing organization and technical sophistication of online fraud. Ninety percent of phishing messages are sent using networks of personal computers whose owners have no idea what's going on, according to Cloudmark.


These armies of zombie computers, or "botnets," comprise as many as 100, 000 zombie computers captured by Internet viruses, said David Thomas, section chief of the FBI's Computer Intrusion Section.

It used to be that hackers created e-mail viruses just to show off, and all they did was clog network traffic or, at worst, damage infected computers. But increasingly, according to Symantec, viruses are written to spread trojans that put infected computers under the control of the virus sender.

The virus writers can then charge anywhere from $50 to $50,000 to send spam with their botnets, VeriSign's Silva said.


A wider net

In addition to getting trickier, phishers are widening their net. Smaller businesses, such as local credit unions, are being attacked in addition to big companies, said research firm TowerGroup. That's a concern because small companies don't have the resources of a Citibank or an eBay to defend themselves.


And phishing attacks are showing up on instant messenger programs, too, according to instant messenger software provider IMlogic.

In one case, a scam artist used Yahoo Messenger to lure people to a fake Web site where they were asked to provide their Yahoo user name and password. Then the attacker would have access to any information stored in the victim's profile and could pose as the victim in an instant message or an e-mail.


The best way to stay safe from phishers is to avoid giving out personal information in response to any e-mail message, experts say.

"Call the company on the telephone or log on to the Web site directly by typing in the Web address in your browser," advises the Anti-Phishing Working Group.

Some argue that financial institutions have the responsibility to come up with foolproof ways to identify themselves to customers.

But until that happens, people need to be vigilant about making sure they know whom they are communicating with.

"You wouldn't give someone who asked you on the street your credit card or Social Security number," said Matt Parrella, chief of the San Jose branch of the Northern California U.S. attorney's office.

--------------------------------------------------------------------------------

Phishing for victims
Phishing is the fastest growing form of online fraud. Here is how the scam generally works:

1. The crook sends you an e-mail that pretends to be from eBay, your bank or some other business.
2. The e-mail asks you to click on a link that leads to a Web site that looks legitimate but is bogus. Some of these e-mails and Web sites are indistinguishable from the real ones.
3. On the site, the unsuspecting consumer is lured into entering private information, such as a user name and password, credit card number or Social Security number.
4. The crook takes that information and uses it to commit fraud.
--------------------------------------------------------------------------------

Don't fall for the bait: How you can thwart phishers
Here are some tips on how to stay out of the phishers' net:

- A legitimate e-mail from the bank or another company where you have an account will generally include your name. Dear customer" is a red flag.
- Don't e-mail personal or financial information. Legitimate firms don't ask for this information by e-mail.
- Don't follow a link in an e-mail to the company's Web site. Open a browser window and type in the company's address instead. If you're suspicious, call customer service.
- Regularly check your statements from bank and credit accounts for fraudulent transactions. Financial institutions will generally reimburse you if you were the victim of fraud.
- Avoid accessing online banking at a public Internet terminal, such as in a library. A thief may have installed software to capture the information of anyone who uses it.
- Check an e-mail's digital signature to ensure that it is authentic. The Anti-Phishing Working Group explains how at www.antiphishing.org
- Forward phishing e-mails to spam@uce.gov. If you believe you've been scammed, file your complaint at www.ftc.gov, then visit the FTC's Identity Theft Web site at www.consumer.gov to learn how to minimize your risk of damage from ID theft. Or call the FTC at (877) 382-4357 .

--------------------------------------------------------------------------------

FILTERING FRAUD
E-mail filtering firms offer these tips for consumers to fight the 'phishing' scam:

•Don't trust e-mail headers, which can be forged easily.
•Avoid filling out forms in e-mail messages. You can't know with certainty where the data will be sent and the information can make several stops on the way to the recipient.
•Try not to click on links in an e-mail message from a company. Too many scam artists are making forgeries of company's sites that look like the real thing.
•If you go to a link offered in an unsolicited e-mail, check to see if there is an 's' after the http in the address and a lock at the bottom of the screen. Both are indicators that the site is secure.
•If you want to do business online, don't click on an e-mail link. Go to the company's Web site yourself and fill out information there.

RELATED:

• Federal Trade Commission
www.ftc.gov
• Identity Theft Resource Center www.idtheftcenter.org

--------------------------------------------------------------------------------

Top phished firms
Here are the companies that phishers used the most in their scams in March:

EBay
Washington Mutual
PayPal
Charter One Bank
KeyBank
Bank of the West
International Bank of Asia
Huntington Bank
Bank of Oklahoma
North Fork Bank
The Chronicle


Related:

www.castlecops.com
irt@castlecops.com
wiki.castlecops.com



 More


 
 
 

 Top

 
       
© 2006-2011 by GSO •  Contact