Phish in the E-mail

Jun 1, 2005 12:00 PM, By Jacqueline Emigh

There's “something phishy” going on in cyberspace these days, and the situation is getting worse. Through a type of e-mail attack called “phishing,” cybercriminals are bilking consumers of their identities and wallets and causing incalculable harm to the reputations and finances of major corporations.

Perpetrators of phishing scams run the gamut from organized crime rings in Russia, Romania and Latvia to teenaged pranksters around the world, experts say.

Corporate victims have already included big banks, insurance firms and a large number of electronic commerce Web sites. Examples range from Citibank to EBay, a popular e-comm site where people place bids to buy new and used goods through online auctions.

Masquerading as legitimate businesses, phishers send out phony e-mails meant to lure consumers and small businesses to fake Web sites. When unwary individuals land on these sites, they are asked to enter personal information such as a social security number, a credit card number, or an e-mail password. Phishers then use this information themselves for fraudulent purposes, or they sell the purloined data to other thieves.

It might not be immediately obvious that one has been duped, says Scott Shaw, a director at Corillian Corp., Hillsboro, Ore.

“Somebody could hold on to your information for quite a while. Then, six months later, you might suddenly find out that you have bought a house,” Shaw says.

Phishers use an ever-expanding variety of ploys to reel in information. To give one example, conmen have been sending out e-mails to customers of PayPal, an online payment service, informing them their accounts will be placed on “restricted status” unless they fill out a “credit confirmation' form.

To fill out the phony form, the victim is brought to a Web site that looks just like the real thing, but is actually bogus.

Phishers can be tough for law enforcement agencies to catch, so most of these crimes go unpunished. Occasionally, however, an online crook is brought to justice. In July of 2003, for example, a 17-year-old boy was charged with using “spam” e-mails and a fake America Online (AOL) Web page to trick people out of their credit card numbers and AOL account passwords.

U.S. regulators also alleged that the teen had used the stolen information to order $3,500 in online merchandise and to log on to AOL through his victims' accounts to send more spam. He also allegedly recruited other people to take delivery of the merchandise he had fraudulently ordered. The Federal Trade Commission settled the case after the boy agreed to pay back the money he had ripped off — after he had promised to never send spam again.

Sometimes, the cyberthieves have not been as lucky. Another large Internet service provider (ISP), known as Earthlink, decided to conduct its own phishing search. In one of the upshots, Dan Daarius Stefan was convicted in Romania of using a phishing scam to steal almost half a million dollars.

Stefan was charged with sending e-mails that seemed to come from EBay to people who had lost out on auctions telling them about similar merchandise purportedly for sale at even lower prices.

People interested in buying these goods were told to provide bank account numbers and passwords and then to wire the money to a phony “escrow” Web site that Stefan had set up. A Romanian court sentenced Stefan to 30 years in prison.

Phishing attacks are becoming more sophisticated and systematic all the time, according to Bob Walters, CEO of Teros, Sunnyvale, Calif.

“Some of the perpetrators are highly organized cybercrime gangs. There's a whole system of wholesaling. A validated e-mail address might sell for a nickel. Complete information about a person might go for $100 to $200,” he says.

Phishing is a major menace to corporations, too. “Companies tend to view their brands as assets, and they don't want their brands to get tarnished,” Walters says.

“One of our customers now has three people working on ‘the latest phish’ full-time,” he says. “They're looking at questions like, ‘How many people were phished?’ and ‘What will we tell account holders?’ It's almost like a SWAT team. There are two information security people and a marketing person. The salaries work out to hundreds of thousands of dollars a year.”

Banks are particularly threatened. “People who have heard about phishing attacks are becoming reluctant to do online banking. Meanwhile, though, for reasons of efficiency, banks want people to use the Web more, not less,” according to John Quarterman, CEO of InternetPerils, Austin, Texas.

“It's key to banks that customers have confidence that their financial assets are secure,” Corillian's Shaw says.

Victimized corporations typically report phishing attacks to their ISPs and sometimes directly to the FBI or other law enforcement bodies.

More than 1,400 phishing sites have been shut down as a result of Operation Stop IT, an initiative launched by Mastercard last June.

Growth of the phishing phenomenon has also prompted the formation the “Anti-Phishing Working Group,” an organization encompassing security vendors as well as customer organizations and interested individuals.

Each month, the group publishes a document called the “Phishing Attack Trends Report.” So far this year, the number of active reported sites reached a high of 991 sites during the second week of February, according to the working group.

But according to industry analyst firm TowerGroup, Needham, Mass., the true level and mix of phishing attacks remains under-reported, simply because it relies on self-reports.

On a related note, Mastercard Australia has admitted that it failed to tell New Zealand police about a phishing site in New Zealand closed down under Operation Stop IT.

TowerGroup has estimated that the true number of phishing attacks reached nearly 31,300 in 2004, and that it will soar to more than 86,000 in 2005 while also spreading to smaller institutions, new merchant/service-providers, and new global markets.

Furthermore, about 80 percent of all phishing attacks in 2004 were targeted at banks, and the same proportion will hold true in 2005, according to the firm.

Meanwhile, software vendors are also getting into the anti-phishing act with new information security technologies.

In May, for example, Corillian and Teros announced that they will jointly market and sell the Corillian Fraud Detection System with the Teros Web Application Firewall.

Unlike other Internet firewalls and intrusion prevention systems, the new combined solution can detect people who are accessing Web sites specifically to create phishing attacks, Walters says.

Companies will be able to tell where Web traffic is really coming from, according to the CEO. “Let's say that a U.S. bank suddenly starts getting lots of hits from Romania. Well, U.S. banks don't generally have tons of Romanian customers.”

The solution will also help to prevent “Web application” attacks, in which hackers steal databases brimming with customer information, Walters says.

That same month, InternetPerils launched PerilScope, a computer-based visualization technology that helps corporations and ISPs to pinpoint the locations of Web phishing sites.

“This technology will promote discussions between physical security and information security staff, because everyone will be able to ‘see’ the phishing Web sites,” Quarterman says.

So, when a colleague in the IT department mentions “phishing,” you will know they are not talking about flycasting for trout. Instead, they are trying to get their hooks into one of the wiliest sorts of crooks in all of cyberspace.

ABOUT THE COMPANIES

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Corillian Corp.	22
InternetPerils	23
Symantec Corp.	24
Symbol Technologies	25

Pulling It Together

6 STEPS TOWARD CONVERGENCE

Collaboration among security, IT, HR, legal and business managers is critical to the convergence of physical and logical security, starting with these six steps…

1. Undertake a thorough and detailed study about consolidating physical and logical security to reveal the availability and flow of information among cross-cultured departments

2. Appoint a single department to create policies for both physical and logical security and to review them jointly with all involved departments.

3. Make sure the team assigned to integration possesses the required credentials to contribute and maintain the convergence project

4. Ensure that the network topology is robust and resilient — able to recover rapidly for emergency operation

5. Study and plan carefully the technology options for interworking between physical and IT networks — it's an investment in time and money that is well worth it.

6. Prove the concept with a pilot program and stress testing to identify technical issues, to validate network topologies, and to gauge corporate end-user acceptance.

SOURCE: JOE CHOGHI, DIRECTOR OF SALES OPERATIONS, QUANTUM SECURE, FREMONT, CALIF., A COMPANY DEVOTED TO BUILDING POLICY AND COMPLIANCE MANAGEMENT SOLUTIONS FOR THE PHYSICAL SECURITY INDUSTRY.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue