silicon.com > software > security strategy
Cheat Sheet: Phishing
June 25 2004
by Will Sturgeon
Everything you need to know about these scams...
Phishing? Isn't that spelled wrong? Rods,
reels, hook, line and sinker and all that...
'Hook, line and sinker' is strangely relevant but this has nothing
to do with harvesting our rivers, lakes and oceans for fish - this is all about fraud and con artistry.
Go on... sounds 'phascinating'...
droll (the name is simply based on a hacker convention of rewriting words with 'f' as 'ph' - as in 'phone phreaking'). At
its simplest level phishing is a case of con artists asking users for their bank account and other personal details and a
You're not telling me it's
As the name suggests it require a little angling - a little invention on the part of the scammer. Typically
they need to use 'social engineering techniques'.
Social engineering? Explain
Typically these scams involve a spoofed email - often claiming to be from a bank or a payment services company
such as PayPal. Often they will say you need to confirm your account details by
visiting a cleverly spoofed version of the company's website. It looks official - sometimes - but via these dummy pages victims
are often surrendering a lot of very sensitive and important data.
So these are very clever
They display varying degrees of sophistication. Some are plain text and clearly bogus but some are very advanced
and could be the real thing bar a few give-away signs - such as an inconsistent URL - which appear genuine bar a strange word
or rogue character which may not be picked up by the user when they scan the page with their eyes and assume it to be genuine.
Mark Sunner, CTO of MessageLabs, says:
"Phishing scams are really quite sophisticated - it's high level social engineering and for individual users the financial
losses can be huge."
Surely though you'd have
to be a little foolish to be duped?
There is always going to be an element of gullibility about people who fall for
these scams - but don't underestimate the sophistication.
A few have fooled large numbers of users
- 30 million Americans were duped last year. But of course there are also people out there who fall foul
of such ploys far too easily. Over the years there have been instances of people submitting details to spoofed banks they
don't even bank with - simply because it looked official and there was some underlying threat that panicked them, often along
the lines of 'Your account will be closed within seven days if you do not confirm the below information' when requesting name,
date of birth, credit card number and similar details.
Who is being targeted?
scammers aren't picky. Barclays, Citibank, NatWest, Lloyds TSB and Halifax are a few of the banks who have been used already.
Auction sites such as eBay have also been used for phishing scams - though the idea there is slightly different.
So what do they do with
the auction sites?
The scam will be emailed out to large lists of people asking them to confirm their eBay or QXL account
details for example, because the database is being cleaned up, or some such excuse. Obviously a number of recipients will
be members of popular sites such as eBay and many of those will be fooled. Once the scammers have people's IDs they can then
log in as that person and start selling bogus goods - knowing any comebacks won't hit them.
How much of a problem is
It's a huge problem, for a number of reasons. The most obvious issue is that people who are falling for this
kind of scam are often stung very badly financially. Phishing is now the fastest growing form of consumer theft. Then there is the fact that the bulk of phishing scam emails
is adding to the general deluge of spam.
So give me some numbers.
to MessageLabs, phishing has certainly reached plague proportions. In September 2003 the number of phishing emails encountered
by MessageLabs was 279. By May this year - just eight months later - the company saw almost 250,000 of them.
Blimey! What's being done
As with other scams there are processes in place for reporting these phishing emails. But essentially law
enforcement agencies are attempting to stem a near impossible tide. You can find out more at the website of the National Criminal Intelligence Service.
Essentially though, education will prove more beneficial than legal means of prevention and prosecution.
Banks in particular need to ensure their customers are informed of the risks and many now routinely contact customers to alert
them to the threat of phishing scams and inform them of the legitimate ways they will try to contact them - so they can disregard
all other approaches.
Banks are walking a tightrope of customer
confusion and brand damage and those are risks they cannot take. Some even fear for the future of ecommerce as a whole.
...and we wouldn't want
Quite. So be on your guard and be suspicious of anything which asks for details you wouldn't normally submit
via email or asks for them in a way that is new or alien to you and your bank.
Covert phishing scam lies in wait for its victim
by Will Sturgeon
Low risk for now, but could be a sign of worse to come...
phishing scam has been detected which doesn't even require users to click on a link in order to jeopardise their personal
data while banking online. Simply opening the email may be enough. 12:29 AM 1/13/2005
who discovered this new technique, is saying the fairly crude scam is very low risk and not yet seen in Europe, it is a worrying
development which users and banks should be aware of.
When the email is opened a script is run which rewrites the host files of targeted machines. The
effect of this is the next time they attempt to access legitimate online banking, at one of the targeted banks, the new script,
which has been lying in wait for such a moment, redirects the user to a fraudulent website which apes the site their were
attempting to legitimately access.
Alex Shipp, senior antivirus technologist at MessageLabs, said: "This script silently modifies the
users' machines and creates this vulnerability. The next time the user goes to bank online, that's when it will get them."
So far the company has only intercepted a relatively small number of these new phishing emails in
South America where they are targeting three Brazilian banks, but as ever with malicious activity online any success will
likely see the scams spread to new territories.
Shipp said this first iteration of such a covert phishing technique will only affect users who have
Windows Scripting Host enabled and certain ActiveX controls and he believes the majority of users with up to date patches,
or the most recent versions of Outlook, where such features are switched off as standard, will be protected.
But it is the general trend which is causing the most concern.
"Perhaps Brazil was targeted by this first, fairly basic email because the writers knew there were
a large number of unpatched PCs there, but the worry is that this could become more advanced," said Shipp, warning that future
iterations of such a scam may employ java script or similar means to create such a vulnerability on users' machines.
MessageLabs is currently detecting between 80 and 100 new phishing websites every day
"Nearly one in every three PCs harbours some kind of keystroke-logging
is fastest growing form of consumer theft
June 16 2004
by Matt Hines
two million Americans duped last year…
Illegal access to bank accounts,
often gained via technology-borne schemes such as "phishing," has grown into the fastest growing form of consumer theft in
the US, according to Gartner.
numbers show roughly 1.98 million people reported their checking accounts were breached in some way during the last year.
Crimes such as phishing, whereby criminals use misleading email and websites to dupe individuals into sharing personal data
like passwords, accounted for a staggering $2.4bn in fraud, or an average of $1,200 per victim, during the last 12 months.
latest numbers confirm a report published by Gartner in May that highlighted the rapid growth of the phishing phenomenon.
In that study, the research company concluded 57 million consumers in the US
had received a phishing email during the prior year. One of the most common phishing campaigns being waged has targeted users
of web auction giant eBay and its PayPal payment-services division, with financial services giant Citibank serving as another
Avivah Litan, the Gartner analyst
who conducted the new research, said phishing is not the only major security problem opening consumers to possible crimes.
The analyst believes that so-called
keystroke logging, or the practice of using spyware to record all the characters a computer user types into his machine, is
also growing rapidly. Security software company Webroot claims its own research shows that nearly one in every three PCs harbours
some kind of keystroke-logging software.
"There are great controls for other
types of fraud at the banks, and credit card companies are very good at keeping an eye out for improper behavior, but there
is no way to directly address phishing or keyboard logging as of yet," Litan said. "Someone needs to introduce the kind of
back-end software necessary for preventing this sort of activity; that would make a difference."
As the online banking, shopping
and payment industries have grown, so too have the methods used by thieves to trick unsuspecting consumers into giving away
password and account data. Those most often targeted are people who have just begun to utilise online accounts to do business.
Gartner reported that of the four million consumers who encountered fraud last year when opening a new online account, approximately
half said they also received a phishing email.
Gartner said that bank account
attacks ranked second only to physical credit card thefts in its study, which polled 5,000 people and was based on a 12-month
period ending in April 2004. The research examined five types of consumer fraud: new account fraud, check forgery, unauthorised
access to checking accounts, illegal credit card purchases and fraudulent cash advances on credit cards.
Litan said technology offers an
attractive vehicle for criminals, because it allows them to ply their illegal trades without ever encountering their victims
"The solution is in building stronger
consumer authentication tools, in order to help service providers like banks build tighter links with consumers," Litan said.
"We need Caller ID for the internet."
The analyst, who said she endured
her own brush with criminals when someone stole her personal information and used it to make purchases on a debit card, suggested
that a simple way for companies to create safer bonds with customers is to require that they answer multiple questions when
logging into a site.
In addition to phishing e-mail
campaigns, spyware launched via pop-up advertisements or Web sites also remains a serious threat. For instance, an Internet
surfer tricked into visiting a certain Web site laced with spyware, or software that gathers information about people without
their knowledge, can then have that person's password or verification information tracked and stolen.
Matt Hines writes for