Just as people are getting wise to e-mail scams that try to trick
them into giving up personal information, the con artists behind them
are becoming craftier.
These online swindlers, known as phishers because they fish for
people's private data to commit fraud or steal their identity, are
using new technical tricks that can fool even experienced Internet
users.
"The attackers are much more sophisticated than we've ever
seen before," said Karl Jacob, chief executive of San Francisco
anti-spam firm Cloudmark, which monitors and fights phishing.
At the same time, phishing is growing faster than any other online
threat, security companies warn. The number of unique phishing e-mail
attacks increased by 1,400 percent in 2004, according to MailFrontier,
a Palo Alto e- mail security company.
Phishers have stolen $300 million to $400 million in the past year
through unauthorized bank account transfers, estimates Avivah Litan,
an analyst with research firm Gartner. The banks generally end up
reimbursing customers for those losses.
Dan Hubbard, head of security labs for San Diego's Websense, called
phishing the perfect crime.
"Clearly there is quite a bit of money to be made," he
said. "Also, it is very easy to do. Basically, with a PC and
Internet connection and a little smarts, you can create an attack.
Finally and most importantly, it's very difficult to catch the
people."
The growing sophistication and volume of phishing attacks come at a
time when more Americans than ever are taking their finances online. A
quarter of all adults, or 44 percent of Internet users, now use
Internet banking, according to the Pew Internet American Life Project.
A phishing attack typically goes like this: A user receives an
e-mail claiming to be from the person's bank, credit card company or
other business. The message urges the user to click on a link in order
to verify his or her account information. The link leads to a Web site
that looks legitimate but isn't. There, the user enters private data
-- like a password, credit card or Social Security number -- which the
scammer steals.
In the past, many phishing e-mails contained misspelled words and
contorted phrasing -- telltale signs of something suspicious. Now,
many phishers have perfected the text and images in their e-mails and
Web sites to look professional and realistic.
That's only the beginning of the deception.
Savvy Internet users once could determine if the Web site was a
fake by checking the address to see if it looked unusual. But during
the past few months, phishers have used programming tricks to hide the
true address of the site they send you to, said Andrew Klein,
MailFrontier product manager.
In one new trick, the scammer blocks the address window of the fake
Web site by creating a long, narrow pop-up window that sits right over
it. So when the victim receives an e-mail purportedly from CitiBank
and clicks on the link, he ends up on a site that may have the address
www.fakecitibank.com, but it
appears that the site's address is the legitimate www.citibank.com.
Masking the site
In another ruse, clicking on the link in the scam e-mail can send
the user to CitiBank's real Web site, but an extra pop-up window will
float in front of the page, asking for your account information. In
this case, the Web site is legitimate, but the pop-up window -- where
the consumer enters his user name and password -- is bogus.
Some phishers have even hacked companies' real Web sites in order
to redirect users from a page on the legitimate site to a fake site.
According to British Internet security company Netcraft, Citizens
Bank, Visa, MasterCard and SunTrust have all been victims of this kind
of hack in the past four months. All the institutions quickly fixed
the security flaw, Netcraft spokesman Paul Mutton said.
"These guys are much better than I thought," said
Stratton Sclavos, chief executive of Mountain View security company
VeriSign, in a recent interview. VeriSign secures Web sites and
monitors Internet transactions for fraud.
Some phishing e-mails can steal your account information even if
you don't type it in. These e-mails come with an unseen program
attached to them. When the recipient clicks on a link or possibly just
opens the e-mail, a Trojan horse program is downloaded to the person's
computer.
The program runs quietly in the background until the user visits a
bank or some other password-protected site. Then it records the
account number and password and sends them to the thief who sent the
e-mail.
The Anti-Phishing Working Group warned this month of another
tactic, known as pharming, in which hackers redirect victims to a scam
site when the real Web site of a bank or other business is typed in.
In this trick, there is no e-mail at all -- it's like you're kidnapped
on the way to your bank and taken to a fake bank that looks real.
'Beyond your control'
When the scams get this good, it's no surprise that people who
thought they knew what they were doing online sometimes fall victim,
Gartner researcher Litan said.
"You're not really falling for it," she said. "It's
beyond your control."
The advances in phishing are an example of how the line is blurring
between hackers and common criminals. Traditionally, hackers exploited
software vulnerabilities out of curiosity, not for profit. But now
people with hacking skills are increasingly using them for profit, and
criminals are picking up technical tricks.
"These aren't the old-style hackers who were doing a lot of
this for entertainment," said Ken Silva, vice president of
network and security at VeriSign. "There's actually money to be
made" on the Internet now.
According to Gartner, 41 percent of American adults on the Internet
believe they have received phishing e-mails. Some people who respond
to these e-mails -- like Marty Hogan of Hercules -- quickly realized
their mistake and took action to prevent it from leading to identity
theft.
Flagging credit reports
Hogan, a landscape architect for Caltrans, had already typed in his
Social Security number and hit send on a purported eBay account
confirmation page when he realized that eBay probably would not ask
for that information. He contacted all three credit reporting agencies
and flagged his credit reports so that no one could open a new credit
account in his name without contacting him.
He was notified by the agencies of several attempts to get
information about him, which were turned down. He says those attempts
may have been made by the person or people who stole his Social
Security number. Having flags on his credit reports did make it
inconvenient for him to get a mortgage when he later bought a home,
Hogan said.
Many people are not so lucky. Gartner's survey found that those who
said they had received a phishing e-mail were three times more likely
to be victims of identity theft than others.
Identity theft, when someone applies for credit in your name, isn't
the only goal of phishers. Richard Knapp, a Mill Valley antiques
dealer, fell prey to a phisher who used his AOL account to send out
pornographic spam.
Within hours after he had responded to the phisher's request for
his account information, "I started getting some very vitriolic
e-mails from irate females," he said. "It was a good thing
there was a phone line between us because otherwise I would probably
be skewered."
Another tactic is to get the victim's eBay name and password to
conduct fraudulent auctions. That's what Francisco Chacin of Hialeah,
Fla., did in 2002 and 2003, according to legal documents.
Chacin was sentenced in May to 30 months in federal prison for
offering items he did not have for sale on eBay, using accounts he got
through phishing. He collected the money for the auctions but never
delivered merchandise.
Chacin also sold or tried to sell eBay account information he got
through phishing to other would-be thieves on the Internet, according
to legal documents. There is plenty of this kind of information for
sale on underground Web sites such as the Network Terrorism Forums.
"1700+ Feedback ebay account ... 90%+ positive," reads a
for-sale posting dated November 2004 on the online criminal forum.
Online underworld
The purchase and sale of the spoils aren't the only ways that
today's phishers are plugged in to the loosely organized online
criminal underworld. All the tools one needs to become a phisher --
the e-mail come-ons, the fake Web sites and even spamming services to
send the messages -- are for sale on online black markets.
The way that phishing e-mails and many other spam e-mails are sent
is another example of the increasing organization and technical
sophistication of online fraud. Ninety percent of phishing messages
are sent using networks of personal computers whose owners have no
idea what's going on, according to Cloudmark.
These armies of zombie computers, or "botnets," comprise
as many as 100, 000 zombie computers captured by Internet viruses,
said David Thomas, section chief of the FBI's Computer Intrusion
Section.
It used to be that hackers created e-mail viruses just to show off,
and all they did was clog network traffic or, at worst, damage
infected computers. But increasingly, according to Symantec, viruses
are written to spread trojans that put infected computers under the
control of the virus sender.
The virus writers can then charge anywhere from $50 to $50,000 to
send spam with their botnets, VeriSign's Silva said.
A wider net
In addition to getting trickier, phishers are widening their net.
Smaller businesses, such as local credit unions, are being attacked in
addition to big companies, said research firm TowerGroup. That's a
concern because small companies don't have the resources of a Citibank
or an eBay to defend themselves.
And phishing attacks are showing up on instant messenger programs,
too, according to instant messenger software provider IMlogic.
In one case, a scam artist used Yahoo Messenger to lure people to a
fake Web site where they were asked to provide their Yahoo user name
and password. Then the attacker would have access to any information
stored in the victim's profile and could pose as the victim in an
instant message or an e-mail.
The best way to stay safe from phishers is to avoid giving out
personal information in response to any e-mail message, experts say.
"Call the company on the telephone or log on to the Web site
directly by typing in the Web address in your browser," advises
the Anti-Phishing Working Group.
Some argue that financial institutions have the responsibility to
come up with foolproof ways to identify themselves to customers.
But until that happens, people need to be vigilant about making
sure they know whom they are communicating with.
"You wouldn't give someone who asked you on the street your
credit card or Social Security number," said Matt Parrella, chief
of the San Jose branch of the Northern California U.S. attorney's
office.
Phishing for victims
Phishing is the fastest growing form of online fraud. Here is how
the scam generally works:
1. The crook sends you an e-mail that pretends to be from eBay,
your bank or some other business.
2. The e-mail asks you to click on a link that leads to a Web site
that looks legitimate but is bogus. Some of these e-mails and Web
sites are indistinguishable from the real ones.
3. On the site, the unsuspecting consumer is lured into entering
private information, such as a user name and password, credit card
number or Social Security number.
4. The crook takes that information and uses it to commit fraud.
Don't fall for the bait: How you can thwart phishers
Here are some tips on how to stay out of the phishers' net:
- A legitimate e-mail from the bank or another company where you
have an account will generally include your name. Dear customer"
is a red flag.
- Don't e-mail personal or financial information. Legitimate firms
don't ask for this information by e-mail.
- Don't follow a link in an e-mail to the company's Web site. Open
a browser window and type in the company's address instead. If you're
suspicious, call customer service.
- Regularly check your statements from bank and credit accounts for
fraudulent transactions. Financial institutions will generally
reimburse you if you were the victim of fraud.
- Avoid accessing online banking at a public Internet terminal,
such as in a library. A thief may have installed software to capture
the information of anyone who uses it.
- Check an e-mail's digital signature to ensure that it is
authentic. The Anti-Phishing Working Group explains how at www.antiphishing.org/smim-dig-sig.
htm
- Forward phishing e-mails to spam@uce.gov.
If you believe you've been scammed, file your complaint at www.ftc.gov,
then visit the FTC's Identity Theft Web site at www.consumer.gov/idtheft
to learn how to minimize your risk of damage from ID theft. Or call
the FTC at (877) 382-4357.
Top phished firms
Here are the companies that phishers used the most in their scams
in March:
EBay
Washington Mutual
PayPal
Charter One Bank
KeyBank
Bank of the West
International Bank of Asia
Huntington Bank
Bank of Oklahoma
North Fork Bank
The Chronicle
