Phishing scourge prompts calls for change
The sentencing this week of a Texas man was a notable victory for the U.S. government in its fight against a form of online fraud known as "phishing." However, a recent surge in such scams highlights the need for more than customer education, with some computer security experts calling for major changes in the way sensitive information is exchanged online.
Zachary Keith Hill, 20, was sentenced Tuesday to 46 months in prison after pleading guilty to defrauding America Online Inc. (AOL) and PayPal customers with a sophisticated online phishing con, the U.S. Department of Justice (DOJ) said.
Hill admitted he fraudulently obtained credit card and bank account numbers and defrauded consumers of US$50,000 in two phishing scams. The customers were fooled into providing the information after receiving e-mail messages from Hill containing links to Web pages that harvested personal information. The e-mail looked like official correspondence from the companies.
Such scams proliferate because online criminals, including organized crime groups, enjoy relatively high success rates from phishing crimes, which rarely result in arrest, said Avivah Litan, vice president and research director at Gartner Inc., which recently published a report on phishing.
"Criminals feel like 'It's a lucrative, low-risk crime. So what's the harm in trying?'" she said "They're getting a 3 percent click-through, whereas the success rate with spam is just 1/2 percent."
"There's an incredible ROI (return on investment)," said Susan Larson, vice president of global content at Surfcontrol PLC, an e-mail filtering company. "Given the seriousness of the information (phishers) are gathering, it's very lucrative. These people wouldn't keep doing it if it wasn't."
Gartner estimates that 57 million U.S. Internet users have received fraudulent e-mail linked to phishing scams, and that 3 percent of them, or 1.7 million people, may have been tricked into divulging personal information.
Despite those figures, the successful prosecution of Hill was the first conviction of a phisher by the DOJ's Computer Crime and Intellectual Property section, according to Mark Mendelsohn, a trial attorney in the DOJ's Computer Crime section.
One reason for the shortage of phishing prosecutions may be the relative newness of the problem. The Gartner numbers were projected from a study of 5,000 adult Internet users, which found that phishing attacks have become pervasive just in the last 12 months, accounting for 92 percent of the known or suspected attacks reported by study participants, Gartner said.
The Anti-Phishing Working Group (APWG) has also seen a steep increase in reports of phishing attacks in recent months. The industry group received more than 1,100 reports of phishing scams in April, a 178 percent increase from the previous month, said Dan Maier, director of product marketing at Tumbleweed Inc., and an APWG spokesman.
Cara Samokar, a high school counselor in Somerville, Massachusetts, near Boston, is one of those statistics.
Samokar was recently taken for more than $2,000 after she responded to an e-mail in early 2004 that warned of "fraudulent account" activity at eBay Inc.
"It was very professional looking," Samokar said. Among other things, eBay's logo was displayed prominently and the wording of the e-mail was professional, right down to the legal disclaimer at the bottom of the message.
After following an embedded link in the message to a Web-based form, Samokar, who is in her early 20s and occasionally auctions items on eBay, entered her eBay user name and password, as well as the account number and personal identification number for a Connecticut bank account she uses.
Samokar thought nothing more about the message, until two months later, when she logged on to her online banking account to pay bills and noticed that her account balance was almost $2,000 less than it should have been.
"It turns out some people in Amsterdam had made up dummy cards with my account information on them, then they went around to ATM (automated teller machines) machines, taking out money, $500 at a time," she said.
Samokar didn't recall receiving any warnings from eBay or her bank about such scams prior to receiving the deceptive e-mail, and so she didn't make a connection between the e-mail and the ATM thefts until an eBay customer service representative mentioned the phishing scam to her weeks later, she said.
EBay does not give out statistics on phishing scams, but the company has seen a "considerable increase" since the beginning of 2003, and particularly in the last couple months, said Hani Durzy, a company spokesman.
Like other companies with targeted customers, eBay relies in large part on reports from users to identify new scams that use its name, or that of its PayPal division. Once it has identified a scam Web site, the company works with the ISP (Internet service provider) hosting the site to take it down.
Depending if the scam site is hosted inside or outside the U.S. , it could be taken down almost instantly or stay up indefinitely, he said.
In fact, a whole new business in so-called "bulletproof" Web hosting has sprung up to keep phishers and other online scam artists in business, even after their ruse has been detected, Surfcontrol's Larson said.
"These are offshore hosting companies in places like Malaysia, India and Turkey that basically say, 'We'll keep your site up, no matter what'," she said.
ISP EarthLink Inc. is expecting the number of phishing attacks using its name to double in coming months. Each of those attacks generates thousands of calls and e-mail messages to EarthLink's support staff, said Scott Mecredy, senior product manager at the company.
In recent months, the company has seen phishing scams shift from attacks created by novices -- "kids with too much time on their hands" -- to sophisticated cons that suggest the backing of professional and organized criminals, he said.
The latest generation of phisher scams use several methods to trick users, including pop-up graphics to mask the true Web URL (uniform resource locator) of the phishing site and the installation of spyware and Trojan horse programs on victims' computers, Mecredy said.
Like many other companies grappling with the phishing problem, eBay and EarthLink are emphasizing the need for better user education and trying to increase customer awareness of the problem. EBay set up a Web page, www.ebay.com/securitycenter, to help educate customers about fraud and phishing scams, Durzy said. EarthLink also posted information that helps customers spot phishing scams, Mecredy said.
Countless other companies with links to online commerce, including Visa International Inc. and digital certificate provider GeoTrust Inc. also have published lists of tips and advice for spotting phishing scams. Both companies tell customers to be suspicious of unsolicited e-mail requests for financial information or other personal data, and not to click on links within the unsolicited messages.
GeoTrust encourages consumers to look for the "padlock" symbol on Web pages when they enter sensitive information, which indicates that encryption is being used to protect information sent over the Internet. Most phishing sites do not use encryption, according to Neil Creighton, chief executive officer of GeoTrust.
More and more, companies affected by the phishing problem are also offering free software tools to help customers sniff out scams.
EBay introduced a feature in its Web browser toolbar, a small program that runs with a user's Web browser, that flashes red when the user visits a possible spoof site. The toolbar uses a database of spoof site URLs submitted by customers and is updated "fairly quickly," Durzy said.
Like eBay, Earthlink in April added a "scam blocker" feature to its Web browser toolbar that can spot and warn users about scam Web sites, Mecredy said.
The federal government also is taking phishing more seriously and other investigations of phishing scams are ongoing, said Chris Painter, deputy chief for computer crime at the DOJ's Computer Crime section.
Among other steps, the government is considering a large-scale move against phishers, with multiple lawsuits announced simultaneously, DOJ attorney Mendelsohn said. "You may see a general announcement to package (phisher investigations) together ... It's definitely one of the kinds of cases the DOJ is targeting," he said.
DOJ officials also hope that the comparatively long sentence given to Hill will deter others from setting up phishing scams, he said.
However, even stepped-up enforcement and better user education aren't likely to stop phishing attacks, which take advantage of many of the same structural weaknesses in the Internet as spam e-mail, viruses and worms, experts agree.
"The phishing problem has a lot of intersection with other problems we look at, such as malicious code and spam," Mendelsohn said.
Widespread adoption of e-mail authentication technology would put a dent in phishing scams, which rely on faked sender (or "from") e-mail addresses to mimic legitimate business correspondence and trick recipients, said Maier of the APWG.
Microsoft Corp.'s Caller ID technology and Yahoo Inc.'s DomainKeys proposal are two attempts to jumpstart the introduction of user authentication across the Internet.
"Almost 100 percent of phishing attacks start with spam. If you stop spoofed e-mail, you stop a huge proportion of spam," he said.
Strong encryption of sensitive e-mail messages using PKI (public key encryption) would also help, but could ruin the experience of using e-mail, Mecredy said.
Beyond that, companies can choose from various secure e-mail or antispam providers including Tumbleweed, Sigaba and Postini Inc. PassMark Security LLC offers technology to specifically address phishing scams, allowing customers to configure their online accounts so a unique thumbnail image appears on legitimate e-commerce Web pages, Litan said.
Coordination is also needed between ISPs, banks and other stakeholders to stop the problem before it undermines confidence in online commerce, Litan and others said.
"The phishing problem is one that's really a collective issue -- something that the Internet community as a whole should solve," said Litan.
Preview Mac OS X "Tiger" at WWDC