From: silicon.com > software > security strategy






Cheat Sheet: Phishing

June 25 2004

by Will Sturgeon

Everything you need to know about these scams...

Phishing? Isn't that spelled wrong? Rods, reels, hook, line and sinker and all that...
'Hook, line and sinker' is strangely relevant but this has nothing to do with harvesting our rivers, lakes and oceans for fish - this is all about fraud and con artistry.


Go on... sounds 'phascinating'...
Very droll (the name is simply based on a hacker convention of rewriting words with 'f' as 'ph' - as in 'phone phreaking'). At its simplest level phishing is a case of con artists asking users for their bank account and other personal details and a user obliging.

You're not telling me it's that simple?
As the name suggests it require a little angling - a little invention on the part of the scammer. Typically they need to use 'social engineering techniques'.

Social engineering? Explain please.
Typically these scams involve a spoofed email - often claiming to be from a bank or a payment services company such as PayPal. Often they will say you need to confirm your account details by visiting a cleverly spoofed version of the company's website. It looks official - sometimes - but via these dummy pages victims are often surrendering a lot of very sensitive and important data.

So these are very clever scams?
They display varying degrees of sophistication. Some are plain text and clearly bogus but some are very advanced and could be the real thing bar a few give-away signs - such as an inconsistent URL - which appear genuine bar a strange word or rogue character which may not be picked up by the user when they scan the page with their eyes and assume it to be genuine.

Mark Sunner, CTO of MessageLabs, says: "Phishing scams are really quite sophisticated - it's high level social engineering and for individual users the financial losses can be huge."

Surely though you'd have to be a little foolish to be duped?
There is always going to be an element of gullibility about people who fall for these scams - but don't underestimate the sophistication.

A few have fooled large numbers of users - 30 million Americans were duped last year. But of course there are also people out there who fall foul of such ploys far too easily. Over the years there have been instances of people submitting details to spoofed banks they don't even bank with - simply because it looked official and there was some underlying threat that panicked them, often along the lines of 'Your account will be closed within seven days if you do not confirm the below information' when requesting name, date of birth, credit card number and similar details.

Who is being targeted?
The scammers aren't picky. Barclays, Citibank, NatWest, Lloyds TSB and Halifax are a few of the banks who have been used already. Auction sites such as eBay have also been used for phishing scams - though the idea there is slightly different.

So what do they do with the auction sites?
The scam will be emailed out to large lists of people asking them to confirm their eBay or QXL account details for example, because the database is being cleaned up, or some such excuse. Obviously a number of recipients will be members of popular sites such as eBay and many of those will be fooled. Once the scammers have people's IDs they can then log in as that person and start selling
bogus goods - knowing any comebacks won't hit them.

How much of a problem is this?
It's a huge problem, for a number of reasons. The most obvious issue is that people who are falling for this kind of scam are often stung very badly financially. Phishing is now the
fastest growing form of consumer theft. Then there is the fact that the bulk of phishing scam emails is adding to the general deluge of spam.

So give me some numbers.
According to MessageLabs, phishing has certainly reached plague proportions. In September 2003 the number of phishing emails encountered by MessageLabs was 279. By May this year - just eight months later - the company saw almost 250,000 of them.

Blimey! What's being done about this?
As with other scams there are processes in place for reporting these phishing emails. But essentially law enforcement agencies are attempting to stem a near impossible tide. You can find out more at the website of the
National Criminal Intelligence Service.

 Essentially though, education will prove more beneficial than legal means of prevention and prosecution. Banks in particular need to ensure their customers are informed of the risks and many now routinely contact customers to alert them to the threat of phishing scams and inform them of the legitimate ways they will try to contact them - so they can disregard all other approaches.

Banks are walking a tightrope of customer confusion and brand damage and those are risks they cannot take. Some even fear for the future of ecommerce as a whole.

...and we wouldn't want that...
Quite. So be on your guard and be suspicious of anything which asks for details you wouldn't normally submit via email or asks for them in a way that is new or alien to you and your bank.

Phishing is fastest growing form of consumer theft

Leader: Police must do more to stop phishing

Alarming rise in phishing attacks





Covert phishing scam lies in wait for its victim
November 03 2004
by Will Sturgeon
Low risk for now, but could be a sign of worse to come...
A phishing scam has been detected which doesn't even require users to click on a link in order to jeopardise their personal data while banking online. Simply opening the email may be enough.  12:29 AM 1/13/2005
Although MessageLabs who discovered this new technique, is saying the fairly crude scam is very low risk and not yet seen in Europe, it is a worrying development which users and banks should be aware of.
When the email is opened a script is run which rewrites the host files of targeted machines. The effect of this is the next time they attempt to access legitimate online banking, at one of the targeted banks, the new script, which has been lying in wait for such a moment, redirects the user to a fraudulent website which apes the site their were attempting to legitimately access.
Alex Shipp, senior antivirus technologist at MessageLabs, said: "This script silently modifies the users' machines and creates this vulnerability. The next time the user goes to bank online, that's when it will get them."
So far the company has only intercepted a relatively small number of these new phishing emails in South America where they are targeting three Brazilian banks, but as ever with malicious activity online any success will likely see the scams spread to new territories.
Shipp said this first iteration of such a covert phishing technique will only affect users who have Windows Scripting Host enabled and certain ActiveX controls and he believes the majority of users with up to date patches, or the most recent versions of Outlook, where such features are switched off as standard, will be protected.
But it is the general trend which is causing the most concern.
"Perhaps Brazil was targeted by this first, fairly basic email because the writers knew there were a large number of unpatched PCs there, but the worry is that this could become more advanced," said Shipp, warning that future iterations of such a scam may employ java script or similar means to create such a vulnerability on users' machines.
MessageLabs is currently detecting between 80 and 100 new phishing websites every day

"Nearly one in every three PCs harbours some kind of keystroke-logging software."




Phishing is fastest growing form of consumer theft



June 16 2004

by Matt Hines

Nearly two million Americans duped last year…

Illegal access to bank accounts, often gained via technology-borne schemes such as "phishing," has grown into the fastest growing form of consumer theft in the US, according to Gartner.

Gartner's numbers show roughly 1.98 million people reported their checking accounts were breached in some way during the last year. Crimes such as phishing, whereby criminals use misleading email and websites to dupe individuals into sharing personal data like passwords, accounted for a staggering $2.4bn in fraud, or an average of $1,200 per victim, during the last 12 months.

The latest numbers confirm a report published by Gartner in May that highlighted the rapid growth of the phishing phenomenon. In that study, the research company concluded 57 million consumers in the US had received a phishing email during the prior year. One of the most common phishing campaigns being waged has targeted users of web auction giant eBay and its PayPal payment-services division, with financial services giant Citibank serving as another popular target.

Avivah Litan, the Gartner analyst who conducted the new research, said phishing is not the only major security problem opening consumers to possible crimes.

The analyst believes that so-called keystroke logging, or the practice of using spyware to record all the characters a computer user types into his machine, is also growing rapidly. Security software company Webroot claims its own research shows that nearly one in every three PCs harbours some kind of keystroke-logging software.

"There are great controls for other types of fraud at the banks, and credit card companies are very good at keeping an eye out for improper behavior, but there is no way to directly address phishing or keyboard logging as of yet," Litan said. "Someone needs to introduce the kind of back-end software necessary for preventing this sort of activity; that would make a difference."

As the online banking, shopping and payment industries have grown, so too have the methods used by thieves to trick unsuspecting consumers into giving away password and account data. Those most often targeted are people who have just begun to utilise online accounts to do business. Gartner reported that of the four million consumers who encountered fraud last year when opening a new online account, approximately half said they also received a phishing email.

Gartner said that bank account attacks ranked second only to physical credit card thefts in its study, which polled 5,000 people and was based on a 12-month period ending in April 2004. The research examined five types of consumer fraud: new account fraud, check forgery, unauthorised access to checking accounts, illegal credit card purchases and fraudulent cash advances on credit cards.

Litan said technology offers an attractive vehicle for criminals, because it allows them to ply their illegal trades without ever encountering their victims in person.

"The solution is in building stronger consumer authentication tools, in order to help service providers like banks build tighter links with consumers," Litan said. "We need Caller ID for the internet."

The analyst, who said she endured her own brush with criminals when someone stole her personal information and used it to make purchases on a debit card, suggested that a simple way for companies to create safer bonds with customers is to require that they answer multiple questions when logging into a site.

In addition to phishing e-mail campaigns, spyware launched via pop-up advertisements or Web sites also remains a serious threat. For instance, an Internet surfer tricked into visiting a certain Web site laced with spyware, or software that gathers information about people without their knowledge, can then have that person's password or verification information tracked and stolen.

Matt Hines writes for CNET News.com


Enter supporting content here