December 14, 2005
Wednesday

It takes just seconds, a few taps on the keyboard, a few clicks of the mouse, and Jason Thomas has launched a computer bug that harvests e-mail addresses. After a minute, he aborts the program and unveils the list of addresses he's collected. "It's very easy to do," he said. "And I'm no techie by any stretch of the imagination."

This is how phishing usually begins, with your e-mail address. Next comes an automated e-mail, sent by a spam generator, which instructs you to visit a fake Web site and "update your credit billing information" or "verify your PayPal login."

Phish facts Pittsburgh Post-Gazette The Internet scam known as "phishing" is growing rapidly in scope and sophistication. It typically involves an e-mail message that links you to a fake Web site and says that you must update your personal information for a recognizable company such as eBay or PayPal. The information is used to steal your identity or plunder your credit card accounts. According to the latest surveys: - One in four Internet users is hit with e-mail phishing scams every month. - Seven in 10 who received phony e-mails thought they "might be from legitimate companies," suggesting they were initially fooled. - Seventy-four percent of Internet users now use the Web for "sensitive" transactions such as online purchases, banking and stock trading, meaning those people are likely to engage in the type of online correspondence the scammers are trying to imitate. - Forty-two percent of people polled were familiar with the term "phishing." - As of September, there were more than 5,200 unique phishing Web sites. At the start of 2004, there were 198. Sources: America Online, the National Cyber Security Alliance, the Anti-Phishing Working Group. (Distributed by Scripps Howard News Service, www.shns.com.)   Phish tips Pittsburgh Post-Gazette Protecting yourself against phishing scams: - Never respond to an e-mail that asks you to update or verify your personal information, even if it appears to come from a company with which you do business. - Avoid visiting the Web page or clicking on Web links included in e-mail you receive. - Avoid posting your e-mail address on Web pages that are publicly viewable, such as blogs, discussion forums, or genealogy Web sites. - If you must publish your address, consider embedding longhand symbols in the address so that it isn't recognized by e-mail harvesting programs. For example, instead of posting your e-mail address as "yourname@comcast.com," write out "yourname(at)comcast(dot)com." - If you have an e-mail account that allows for HTML graphics embedded in e-mail messages to be downloaded, consider turning off that option. Sometimes, HTML graphics include small programs that can tell your computer to download without your knowledge. - If possible, use a Web browser other than Internet Explorer because many of the more sophisticated phish pages are written specifically to exploit IE. Try browsers distributed by AOL, MSN, Netscape or Firefox. - Install anti-virus software, firewall software, and adware and malware destroyers on your computer. Run them and update them frequently. Also, be sure to update your operating system (Microsoft Windows, for example) whenever security patches and service packs are available. - Send suspicious e-mail to the Federal Trade Commission at spam(at)uce.gov. Sources: America Online, the National Cyber Security Alliance, the Anti-Phishing Working Group. (Distributed by Scripps Howard News Service, www.shns.com.)

Then, if the scammer is lucky and you're not computer savvy, you hand over your name, credit card number and other personal data - a valuable bundle of information that's sold on the black market to someone who wants to steal your identity and your line of credit.

Phishing scams have infected the Internet for more than a decade. In the beginning, it was called "Web page spoofing." But the scams have reached a critical mass over the past few months, reaching more people than ever, using more fake Web pages than ever, and becoming so sophisticated that even the good guys have a tough time telling fake Web pages from authentic ones.

Thomas, fortunately, is one of the good guys. He's a program manager at the National Cyber-Forensics and Training Alliance, which makes its home in a business park near the Monongahela River outside of Pittsburgh. The nonprofit alliance is one of the few computer crime research outfits in the United States, a collaboration of law enforcement officials, computer experts, private enterprise and volunteer graduate school students from the University of Pittsburgh, Carnegie Mellon University and Robert Morris University.

Thomas' days are consumed by computer crimes of all varieties, including online auction frauds, spam-sending "bot networks," fake charity solicitations such as the ones that arose after last year's killer tsunami and this year's Hurricane Katrina. But phishing scams, he said, are taking up more and more of his time.

At the start of last year, there were about 200 phishing sites on the Web - fake sites designed to look like they belong to eBay or Citibank, for example. By autumn, there were more than 5,200, according to the Anti-Phishing Working Group, a cross-industry global group supporting those tackling the phishing menace. And that number is rising.

One reason is that as recently as last year you had to be able write computer code to place a phish site on a server. Now, phish writers are creating customizable packets. A scammer buys the code packet from a vendor, fills in the blanks, inserts an eBay logo, for example, and he's ready to go.

"These kits? That's what causing these spikes," Thomas said. "It used to be you had to know how to do this yourself. Now you don't."

Hanging on a wall in the cyber training alliance offices are various flow charts which show how phishing scams operate.

If you thought they tend to be simple - a geeky teen sitting at a computer sending out e-mail, collecting personal data and going on a shopping spree - you're wrong.

"It's a very organized criminal activity," Thomas said. Every once in a while, one guy juggles the entire scam himself, but usually it's an elaborate web with some or all of its threads running overseas through Eastern Europe, China, Korea or Russia.

That's what makes tracking a phishing scheme so difficult. Even when the FBI "seeds" a scam by providing a credit card number with hopes of monitoring its use, the crooks are often untouchable.

"They get traced back to some place in another country, and they're doing a transaction in the subway, (at) an ATM," said Bill Shore, of the FBI's Pittsburgh-area cyber-crime team.

How is the web connected? One group designs the phish site kits, while others write e-mail-harvesting "spiders." Some send the spam e-mails, some collect credit card numbers and still others sell the pilfered information over the Internet.

At the end of the line is the guy who buys the numbers and goes shopping. It's lucrative for the people selling the data packs and the card numbers, but it's more lucrative for the guy at the end of the line. The Ponemon Institute, a privacy and security consultant, estimates that phishing schemes cost American consumers $500 million in 2004.

The good news is that the people chasing the crooks are becoming more sophisticated, too. The cyber training alliance, for example, was assembled in 2002. It shares office space with Digital PhishNet, a year-old team of national cyber-experts culled from tech companies, Internet service providers, the Secret Service, the FBI and the banking industry.

The Defense Department's Computer Emergency Response Team Coordination Center, or CERT, makes its home at Carnegie Mellon. Nearby is an FBI computer crimes lab.

For all this investigative manpower, though, phishing and the identity theft it supports is difficult to prosecute.

"Identity theft, in general, is close to the perfect crime today," Shore said. Fewer than 1 percent of all reported identity theft cases are successfully prosecuted, he said.

At least identity theft is a punishable offense. Phishing, setting up a fake Web page and posing as a real company in an e-mail, often is not.

Tech companies and Internet providers want to change that, and they are lobbying state legislatures to pass anti-phishing statutes. Many companies worry that the millions in direct consumer losses will generate even greater losses if people lose confidence in online commerce.

"The main goal is to protect customers from this kind of fraud," said Lee Gierczynski, a spokesman for Verizon, whose Web site often is duplicated by phishing scammers. "But the company is a victim as well."

A survey by America Online and the National Cyber Security Alliance found that one in four Internet users polled had been on the receiving end of a phish e-mail. The latest report from the Anti-Phishing Working Group says that, in a given month, more than 13,000 phishing solicitations clog e-mail inboxes:

Dear Amazon.com Member - Urgent Action Required!

Credit Union National Association #552 - Security of your Personal Information.

PayPal must repay 4,823 members, including you, the amount of $156.02 - confirm your account.

Update your Verizon billing profile - failure to reply will lead to termination of your account.

Bank One security upgrade - please check your secured inbox for detailed information.

Citibank E-mail Verification - verify your e-mail address.

Phishers go where the money is. That's why so many of their e-mails pose as coming from the most popular Web services, such as Amazon, eBay and PayPal.

But as the hoax pages get easier to build, the solicitations get more narrowly targeted. You might get one from your local bank, your local phone company or a credit union. And as more people submit their federal tax returns online, expect to see e-mails that claim the IRS is having a problem processing your refund and needs more information to do so.

"Come tax season, I think we're going to see kind of an increase," Thomas said. He's already seen one such e-mail.

With the holiday shopping season in full swing, you might already be getting e-mails offering gift cards or free video game systems if you participate in an online marketing survey. Sometimes, these offers are legitimate, but more and more, these, too, are phishing expeditions designed to separate you from your money.

Thomas predicted an upswing in other phishing-related scams which surfaced this year but have yet to become widespread.

One is called "pharming." Hackers confuse computers into misdirecting Web users who type in a legitimate Web address. You type "www.google.com," for instance, but your Web browser is directed to a fake Google page or a different Web page altogether.

Another offshoot is called "spear-phishing," a more focused form of phishing. You'll get an e-mail directing you to a Web page. Simply by visiting the page, your computer will download malicious software, known as "malware." As you conduct legitimate online business a week later, the malware might keep track of credit card numbers or passwords you use. Or it might act as a radio receiver, allowing someone else to operate your computer by remote control.

The scope of such spear-phishing and pharming attacks is limited, for now. That's because, as with "traditional" phishing a year ago, they are limited to the people who have enough programming knowledge to carry them out.

But as programmers begin to build generic pharming and spear-phishing packages, and make them available for purchase online, the scams will proliferate. And pose new challenges for consumers, companies, investigators and lawmakers.

SitNews
Stories In The News
Ketchikan, Alaska