Surge in phishing attacks prompts calls for change

Some security experts want changes in how sensitive information is exchanged online

The sentencing this week of a Texas man was a rare victory for the U.S. government in its fight against a form of online fraud known as "phishing." However, a recent surge in such scams highlights the need for more than consumer education, and some computer security experts are calling for major changes in the way sensitive information is exchanged online.

On Tuesday, Zachary Keith Hill, 20, was sentenced to 46 months in prison after pleading guilty to defrauding America Online Inc. and PayPal Inc. customers with a sophisticated online phishing con, the U.S. Department of Justice said.

Hill admitted that he fraudulently obtained credit card and bank account numbers and defrauded consumers of $50,000 in two phishing scams. The customers were fooled into providing the information after receiving e-mail messages from Hill containing links to Web pages that harvested personal information. The e-mail looked like official correspondence from the companies.

Such scams proliferate because the criminals who perpetrate them enjoy a relatively high success rate and the crimes rarely result in arrest, said Avivah Litan, an analyst at Gartner Inc., which recently published a report on phishing.

"Criminals feel like, 'It's a lucrative, low-risk crime. So what's the harm in trying?'" Litan said. "They're getting a 3% click-through, whereas the success rate with spam is just a half-percent."

"There's an incredible ROI," said Susan Larson, vice president for global content at Surfcontrol PLC, a vendor of e-mail filtering software. "Given the seriousness of the information [phishers] are gathering, it's very lucrative. These people wouldn't keep doing it if it wasn't."

Gartner estimates that 57 million U.S. Internet users have received fraudulent e-mail linked to phishing scams, and that 3% of them, or 1.7 million people, may have been tricked into divulging personal information (see story).

Despite those figures, the successful prosecution of Hill was the first conviction of a phisher by the DOJ's Computer Crime and Intellectual Property section, according to Mark Mendelsohn, a trial attorney in the DOJ's Computer Crime section.

One reason for the shortage of prosecutions may be the relative newness of the problem. The Gartner numbers were projected from a study of 5,000 adult Internet users, which found that phishing attacks have become pervasive just in the past 12 months, accounting for 92% of the known or suspected attacks reported by study participants, Gartner said.

The Anti-Phishing Working Group (APWG) has also seen a steep increase in reports of phishing attacks in recent months. The industry group received more than 1,100 reports of phishing scams in April, a 178% increase from the previous month, said Dan Maier, director of product marketing at Redwood City, Calif.-based Tumbleweed Communications Corp. and an APWG spokesman (see story).

EBay Inc. doesn't give out statistics on phishing scams, but the Internet auction company has seen a "considerable increase" since the beginning of 2003, and particularly in the past couple of months, said Hani Durzy, a company spokesman.

Like other companies whose customers are targeted in phishing scams, eBay relies on reports from users to identify new scams that use its name or that of its PayPal division. It then works with the Internet service provider hosting the phishing site to take it down.

But a new business in so-called bulletproof Web hosting has sprung up to keep phishers and other online scam artists in business, even after their ruses have been detected, said Larson. "These are offshore hosting companies in places like Malaysia, India and Turkey that basically say, 'We'll keep your site up, no matter what,'" she said.

ISP EarthLink Inc. expects the number of phishing attacks using its name to double in coming months. Each attack generates thousands of calls and e-mail messages to EarthLink's support staff, said Scott Mecredy, senior product manager at the company.

Like other companies grappling with the problem, eBay and EarthLink are emphasizing better user education and trying to increase customer awareness. EBay set up a Web page, www.ebay.com/securitycenter, to help educate customers about scams, Durzy said. EarthLink also posted information that helps customers spot phishing scams, Mecredy said.

Countless other companies with links to online commerce, including Visa International Inc. and digital certificate provider GeoTrust Inc. also have published advice for spotting phishing scams. Visa and GeoTrust both tell customers to be suspicious of unsolicited e-mail requests for financial information or other personal data, and not to click on links within the unsolicited messages.

GeoTrust encourages consumers to look for the padlock symbol on Web pages when they enter sensitive information; that symbol indicates that encryption is being used to protect information sent over the Internet. Most phishing sites don't use encryption, according to GeoTrust CEO Neil Creighton.

Companies affected by the phishing problem are also offering free software tools to help customers sniff out scams.

EBay's Web browser tool bar now has a feature that flashes red when the user visits a possible spoof site. The tool bar uses a database of spoof site URLs submitted by customers and is updated "fairly quickly," Durzy said.

Earthlink added a "scam blocker" feature to its Web browser tool bar last month, Mecredy said.

The federal government also is taking phishing more seriously, said Chris Painter, deputy chief for computer crime at the DOJ's Computer Crime section.

Among other steps, the government is considering a large-scale move against phishers, with multiple lawsuits announced simultaneously, DOJ attorney Mendelsohn said. "You may see a general announcement to package [phisher investigations] together. ... It's definitely one of the kinds of cases the DOJ is targeting," he said.

DOJ officials also hope that the comparatively long sentence given to Hill will deter others from setting up phishing scams, he said.

Widespread adoption of e-mail authentication technology would put a dent in phishing scams, which rely on faked sender e-mail addresses to mimic legitimate business correspondence and trick recipients, said Maier of the APWG.

Microsoft Corp.'s Caller ID technology and Yahoo Inc.'s DomainKeys proposal are two attempts to jump-start the introduction of user authentication across the Internet (see story). "Almost 100% of phishing attacks start with spam. If you stop spoofed e-mail, you stop a huge proportion of spam," Maier said.

Coordination between ISPs, banks and other stakeholders is needed to stop the problem before it undermines confidence in online commerce, Litan and others said. "The phishing problem is one that's really a collective issue -- something that the Internet community as a whole should solve," said Litan.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon