To succeed in any line of work you have to be inventive and stay ahead of the game. It is no different for Internet scammers. They have been seizing their rods and ‘going phishing’ and this phishing rarely allows the big ones to get away. Here we see the Bonnie & Clyde versions of the digital age and some of the biggest multi-national companies like Citibank and Visa International, Ebay and PayPal have all been targeted.
The FBI called phishing one of the “hottest and most troubling scams on the Internet”.
Many scams are started by small time hackers, just flexing their muscles on the Web. But phishing has moved into the ‘big boys’ league, as more and more of these attacks are now being linked to highly sophisticated criminal syndicates, in areas as widely spread as Europe and Asia.
“Phishing is motivated purely by financial fraud and gain. And organized crime is now just using the Internet as one pillar alongside gambling and human trafficking,” said D.K. Mata, founder of mi2g, a British-based security firm.
What is Phishing? It is a high-tech scam where hackers (the phishers), posing as legitimate companies, send out spam e-mails (the bait) and try to fool the e-mail recipient, (the fish) into volunteering passwords, personal and financial data and other sensitive information.
If the recipient responds with the requested information, he has unwittingly become the victim of fraud and has then been ‘phished’. The information goes not to the legitimate company, but straight into the hands of the scammer. This is then used to raid bank accounts, obtain new credit cards, order goods and services online and play havoc with personal credit ratings. Bottom line, these scammers are stealing identities.
Those banks, credit card companies and e-commerce sites already targeted so far, have dismissed the costs of these phishing scams as negligible. But mi2g, estimated that total costs to companies back in 2003 ran to as high as $5 billion. This takes into account customer and productivity losses, business interruptions and damage control to reassure the millions of apprehensive customers and victims already targeted.
So how do they do it? According to the Federal Trade Commission (FTC), these phishers target customers of businesses which deal with online payment, i.e. Internet service providers, shopping sites and banks.
The e-mails sent out appear to be 100% legitimate but, as ever, appearances can be deceptive. Both the initial e-mails and sites to which they try to link you are only dummy copies – perfect look-alikes in every way. Easily achieved by those with the know how, everything can be forged, from a company logo to a replica site with an apparently authentic return address.
Even the address you see in the window can be made to match a legitimate URL. This is made possible by a bug in the Internet Explorer browser and the way in which URLs are displayed in the address bar.
Simply put, the browser is unable to display the special character ‘%01’, or anything that follows the web address. So, where as previously you would have been able to check the authenticity of the address in the bar before you entered sensitive information, this bug has made that impossible.
In the hands of a hacker with knowledge of URL obfuscation techniques, it is easy to change an obvious fake address such as ‘www.lookalikes’ ‘firstname.lastname@example.org/login/login.htm’ into the undetectable counterfeit ‘www.citibank.com’.
These e-mails warn that fraudulent activity has been detected in connection with the company’s accounts. You are urged to click on a link and check your account balances, to ‘update’ or ‘validate’ their billing information in order to keep your account active. With a heavy dose of irony, these bogus e-mails may even urge you to report any signs of fraud.
The following is an example of a phishing e-mail that arrived in my inbox even as I was writing this. This is a simplified format compared to others, but a hoax nevertheless and not hard to spot as I do not own a Visa credit card!
Subject: Visa Security Update
We were informed that your card is used by another person or stolen. It could happen if you have been shopping on-line, and someone got your “Billing information” including your card number. To avoid and prevent any billing mistakes and to refund your credit card, it is strongly recommended to precede filling in the secure form on our site and applying for our Zero Liability program. Program is free and it will help us to investigate this accident as soon as possible. Sincerely yours,
Visa Support Assistant, Alwin Desagun.
This particular e-mail plus many others can be found at www.antiphishing.org/apwg.htm. A good place to check if you unsure.
If these hoax e-mails are so sophisticated how will you be able to spot them? By now the alarm bells in your mind will be ringing and you might be thinking that Money Plus The Internet Equals A Dangerous Equation.
Generally if an e-mail doesn’t sound right, look right or smell right there is a good chance that it isn’t right. Common sense can go along way here.
Stick to some basic guidelines and you should have less chance of falling hook, line and sinker for these scams.
- Remember that NO reputable business would ever ask you to update or change sensitive and private information via e-mail or online. It would be done in person or over the phone.
- E-mails that bear dire warnings and request sensitive information, right down to your inside leg measurements, are scams. Do not reply via the e-mail, instead contact the company by phone or by personally typing in the genuine URL address.
- Never send personal or financial information via e-mail. If you are submitting financial information on a Web site, check first for space the “lock” icon on the browser’s status bar. It indicates that your information is secure during transmission.
• Check credit card and bank account statements for any discrepancies as soon as you receive them. Call your credit card company immediately if something looks amiss. Likewise if your statement is late by more than a couple of days, call to confirm your billing address and account balances.
How are companies fighting back? EBay and Citibank have posted tips and examples of fraudulent e-mails on their Web sites, to help customers identify them. PayPal, one of the first targeted, are offering an extra level of security through a verification system.
Visa International is going one step further. Not only are they buying all Visa-related domain names in the regions in which they operate, but by using Web crawler technology, they are hunting out and shutting down hoax sites carrying their logos and text.
Visa International has also set up the site www.mymoneyskills.com to inform and educate consumers.
Who is going to stop it? The IE bug was discovered, not by a Microsoft security expert, but by a British 18 year old Graphic Designer, alias “Zap the Dingbat”. He publicly ‘outed’ it on his personal website on 9th December 2003.
It took scammers a full week to begin taking advantage of the bug and from then on the problem snowballed. One month after its discovery it was still a free-for-all, for every hacker in the cyber world. Microsoft have since released a patch (a virtual plaster) to resolve the issue, however it does not seem to have contained the problem, as the Web is still rife with phishing e-mails.
To make matters worse, many people tend not to keep their software up-to-date. This leaves their computers exposed and vulnerable to hackers. Using pirated software gives the user even less or no protection at all, as many of these illegal copies are unable to benefit from the updates released.
Anti-virus and anti-spam companies are also adding additional filters to their programmes in an effort to target these e-mails. GIANT, an anti-spam software company, claims that ‘Spam Inspector 4.0’ has ’a unique ‘Phishing Hole Filter’, preventing these potentially fraudulent e-mails from making it to your inbox.
One step towards solving the problem, says Jevans, Chairman of the Anti-Phishing Working Group, is to use digital signatures on e-mails, as they are harder to fake. Further down the line, tougher, biometric security measures might well be called into play. Combinations of fingerprint or iris scans, with a password or Smartcard, might well become the norm when accessing accounts and conducting online transactions.
Sweeping changes will need to be developed first and then implemented, and this will take both time and money.
To date, only one U.S. federal case of ‘phishing’ has been settled. A teenager posing as AOL, sent hoax e-mails to the company’s customers, asking for their billing details. Using the information gained he went on an online shopping spree and opened accounts with PayPal. When brought to court in July 2003 he was ordered to repay the $3,500 of his ‘ill-gotten gains’ and barred from sending any further spam.
Today, the FTC is working alongside the FBI and the Justice Department on a number of other phishing cases, although no others have yet been settled.
With every new advance in technology there will be those who hijack this progress and use it for their own means. The struggle to maintain Web security will be an on-going task, whether aired in the public arena or behind locked doors. It is, therefore, imperative that Web users acquire a little more Internet savvy and learn to take more control.
After all, the first line of defence for a computer is its user.
: : : : : : : : : : :