Normally my bank is so efficient! Wayne clicks on the link in the email and is directed to his bank’s website. A pop-up login window appears. He enters his account details and clicks ‘submit’. But an error message appears, so he goes to his bank’s main website and tries again. All his account details and recent transaction history are successfully listed. My account’s still here, Wayne thinks. Was there really a problem?
But what Wayne doesn’t know is that although he ended up by logging into his bank’s real website, he also revealed his credit card details to an organised crime gang during his initial, supposedly failed, login attempt. Such rogue emails and websites are part of what’s known as a ‘phishing’ scam. The number of these scams is growing by the day.
The gang, armed with Wayne’s credit card details, uses the money to buy a plasma screen TV and sends it to a formerly unemployed lady who replied to a job ad she saw at a major online job website for a correspondence manager.
This woman gets paid a commission after sending the TV to an address in Russia, which she thinks is a children’s charity, and in doing so becomes an unwitting mule in a well organised, sophisticated group of fraudsters.
The goods are resold in Russia and the money laundering is complete. The scenario above is fictional but disturbingly five per cent of people fall for phishing scams, according to US-based security company Tumbleweed.
Most of us will have received a bogus email in our inboxes by now. These scams are one of the first steps in a chain of organised criminal activity, often based in Eastern Europe. Banks are the most likely target, but the single most targeted company is eBay, according to the Anti-Phishing Working Group (www.antiphishing.org), a consortium of more than 180 companies, including Tumbleweed, working on ways to combat the problem.
There are three common phishing techniques used to harvest information, says Jon Harvey, regulatory compliance director at Barclays bank. “One is to download a Trojan attachment onto your machine which captures keystrokes or opens up a port which can then be used for a remote phishing connection. This is not something we’re experiencing at Barclays at the moment,” he says.
Another technique involves soliciting information after users are duped into thinking they are using an official site. This can be done through a similar-sounding URL, such as www.visa-security.com. Also, unpatched Internet Explorer browsers are susceptible to a vulnerability which lets scamsters create a link to what appears to be a legitimate website in the address bar, but is really a fake website.
“Finally, you can compromise the DNS (Domain Name System) server on someone’s network so when you type in the name of the institution, it resolves to another address,” says Harvey.
Most victims of phishing have simply unknowingly entered their details on a fake website.
And it’s not just Internet novices who fall for these scams. “The level of sophistication is dramatically increasing,” says Dave Jevans, chairman of the Anti-Phishing Working Group and senior executive at Tumbleweed. “There has been code for these things seized. Some machines have been seized when there was a phishing attack launched and on the machines were five other attacks on institutions ready to go. We are definitely seeing the convergence between viruses and Trojans and phishing where people are starting to use keyloggers. We’re concerned about DNS takeover attacks.”
Taking people to a counterfeit website and then redirecting them to the real website once their information has been entered is also a worrying trend, Jevans says. People don’t realise that they’ve passed their login information to a scamster because they end up seeing the authentic site.
“Those have been a bit buggy, but they’re really scary.”
In the US, large ISPs like Earthlink have been a target too – similar scams will almost certainly be hitting the UK soon.
“ISPs have your credit card details and they bill monthly, so they’re a prime target,” says Jevans. “Someone sends an email pretending to be from your ISP and saying your card’s expired or there’s a billing problem,” he adds. These can be highly targeted because they know to only send the email to people at the ISP’s domain name. Many of these sites are even hosted at the ISPs themselves so they can be extremely real looking.
We’ve seen it happen to some ISPs here and they’ll get 70,000 phone calls into their customer support centre. It costs them real money.”
Horses for courses What happens once someone enters their banking details on a fake site?
“The account ID and password then needs to be available for the fraudster to obtain in such a way that there’s a clear break between where that information now sits and where the fraudster is so it can’t be traced back,” Harvey says.
The fraudster then logs on to the banking account and transfers the money into a mule’s account, whose role is then to transfer around 90-92 per cent of the stolen money overseas. Often, the funds are transferred between numerous stolen bank accounts both here and offshore in order to make the scam harder to track.
These mules have signed up to the scam after seeing jobs on popular websites listed for ‘correspondence managers’. Much of the time they are unaware that stolen money is being transferred.
Others cotton on, but have been unemployed for some time and are desperate for the lucrative commission.
In the case of repackaging and forwarding on stolen goods, phished details such as Visa numbers are often sold on the black market and used to buy high value items. Store credit can also be obtained if scamsters steal utility type information or a driver’s licence. Login details of popular retailers’ websites are also phished. Goods are purchased and sent on to an address other than the card’s billing address.
“The goods would be delivered to one of these mule people who think they’re receiving a donation for a charity or some bigger cause and they have to repackage it and post it,” Harvey says.
Scamsters have targeted at least one authentic charity, the Russian Orphan Opportunity Fund, several times by launching spoof websites that ask for help.
The price of phish The Anti-Phishing Working Group’s regular report on attacks showed that there were 282 unique phishing attacks in February this year, a 60 per cent increase on the 176 attacks reported in January. Apart from eBay (104 unique attacks, up from 51 in January), the second most targeted company was Citibank (58), followed by PayPal (42, up from 10 in January), AOL (10, down from 34 in January), Fleet Bank (9), Earthlink (8), Visa (8) and Barclays (6). Phishing was one of the major topics debated during the E-Crime Congress held in London last February, where Harvey was a presenter.
“Right now the fraud cost is there, but these large institutions have tons of fraud already,” says Jevans. “The real cost of the problem is the time at the helpdesk, educating customers, business reputation loss and loss of trust on the Internet. This is of particular concern to e-commerce companies who only conduct business online.”
A good catch?
The Anti-Phishing Working Group
collaborates securely online and
meets regularly around the world
to discuss phishing threats and
ways to combat them. Specific
solutions are outlined in a paper at
www.securitymanagement.com/library/
Antiphishing_Tech0304.pdf.
The main proposals so far include email authentication methods and looking at spam standards devised by companies like Microsoft and Yahoo!. “The problem with that is it’s going to take years to be implemented anywhere,” Jevans says.
The group is also investigating the potential for services which scan for ‘cousin’ domains whereby trademark owners would be notified if a similar sounding URL, or sites containing spoof content, are registered.
Barclays’ Harvey points out that “if you configured your website to be seen by spiders and robots we’d find it but a fraudster doesn’t do that – you need to know the absolute address”.
Some services, like Cogenta Domainwatch (www.cogenta.com/domainwatch.htm), scan incoming spam for keywords, which can flag up problems earlier, but don’t prevent them from occurring in the first place.
At Barclays, there is a warning screen each time you log into an online account and selected letters from your ‘secret word’ must be selected from a drop down menu, which thwarts keylogging programs. Users should always type the absolute URL of a website directly into their browser, rather than accessing it from a Favorites menu or a link contained within an email.
Operating systems must also be configured to ensure that remote system management services are switched off, and browsers need to be set with high security settings so that malicious code cannot be executed without the user’s knowledge. Adequate firewall and virus protection is absolutely essential.
For commercial sites, educating users and raising awareness of phishing scams is vital. Ensuring security is maintained requires cooperation between a site and its users.
“We’ve done a lot with education,” says Harvey. “Customers need to understand they need to protect themselves.”
Taking a few simple precautions and being vigilant shouldn’t diminish the convenience of using online services. Thankfully, the infrastructure of online banking and online retailers’ websites has remained secure since phishing began and for those who have been the victims of scams, human error, ignorance or URL masking has been to blame.
As phishing techniques
become ever more sophisticated,
the fight against the scamsters is a
serious one – and one which
requires industry cooperation
and innovation to combat.
Posted by kimgilmour at April 27, 2004 12:53 PM