While spam is annoying, distracting and burdensome to enterprises and their networks, the spoofing scam known as phishing has the potential to inflict serious losses of data… and even money. Phishing is a relatively new form of online fraud that focuses on fooling the victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. The word phishing comes from the analogy that Internet scammers are using email lures to ‘fish’ for passwords and financial data from the sea of Internet users.
And while this form of fraud is relatively new, phishing attacks have increased by 4000 percent from November 2003 to May 2004. Over the past eight months, e-mail phishing attacks have rapidly transformed from a minor occurrence to a worldwide epidemic that is tarnishing the reputation of organizations both on and offline while simultaneously ruining consumer trust in the Internet and e-commerce. According to the Radicati Group analyst Teney Takahashi, the number of unique phishing attacks worldwide is expected to grow at an astonishing rate a year from 51 attacks in 2004, to 110 unique attacks by 2005. If nothing is done to stop this increasing growth in phishing attacks, Takahashi said the Radicati Group anticipates the number of unique phishing attacks will reach 404 by year end 2008.
Financial industry most targeted from phishers
In the last eight months, the research firm maintained it has seen a huge migration from US to international markets as the majority (70 percent) of phishers are launching their attacks from Eastern Europe and Southeast Asia. The financial industry is by far the most targeted industry at 68 percent, followed by credit card companies at 17 percent, eCommerce organizations at 12 percent and other industries such as governments, ISPs, etc at 3 percent. Financial institutions and e-commerce companies come under most attacks 51 phishers attacks per day.
A recent study commissioned by TRUSTe put US phishing losses to date at $500 million. Sixty-four percent of respondents surveyed believe that it is unacceptable for organizations to do nothing about spoofing and phishing, and 96 percent want companies to consider new technologies to help authenticate email and online sites. “Consumers should be cautious when disclosing sensitive information unless they have proactively initiated the online transaction,” said Fran Maier, executive director of TRUSTe. “This simple consumer protection message needs to be conveyed through a broader consumer education campaign.”
According to Maier, online consumers have become more skeptical about email and web sites as a result of their unpleasant experiences with phishing and want to see action taken to address the problem. The study also found that three-quarters of wired Americans have noticed an increase in phishing incidents during the past few months, with one-third saying they have received emails send under fraudulent pretenses at once a week.
According to Gartner, online fraud is happening in several ways, such as harvesting credit-card numbers through phishing, opening new credit card or checking accounts with stolen identities, forging checks, and transferring money out of checking accounts. Gartner said fraudsters are increasingly combining online and offline techniques and challenges to accomplish their goals. “For example, they may phish for online bank account users’ IDs and passwords, log on to consumers’ online bank accounts, look at the check images and record the check numbers and signatures which can then be used in check-forgery schemes,” said Gartner analyst Avivah Litan.
Meanwhile, according to Spam Filter Software Review, in 2002, in the US alone, junk mail cost businesses almost $9 billion. And in 2003, 40 percent of the emails circulating around the Internet were spam and each user received an average of 2,200 spam messages a year. Because of patent disagreements among its members, the Internet Engineering Task Force (IETF) failed to reach consensus on a Microsoft-back Sender ID proposal to fight spam. The IETF, which works by consensus on Internet standards, dissolved a working group on Send ID after deciding that agreement could not be achieved anytime soon. Some experts said Microsoft decided to demand a registration license for their part of the Sender ID program and since the new protocols need to be freely available to the public, this caused additional problems. Under Sender ID, Internet service providers would submit lists of their mail servers’ unique numeric addresses. On the receiving end, software would poll a data base to verify that a message was actually processed by one of those servers.
The IETF is expected to create a working group as early as November to craft standards for digitally signing messages, which is an anti-spam approach favored by Yahoo. Products from companies like McAfee and Silverpop have been designed to offer detection and protection against unwanted messaging traffic. McAfee WebShield and SpamKiller Appliances for example include anti-virus, content scanning, anti-phishing and anti-spam protection at the Internet gateway. On the other hand, Silverpop’s tools, such as audits that won’t let messages go out without addresses and opt-out links, let marketers ensure they comply with CAN-SPAM Act regulations. For example, the SafeSender features automate compliance for all email sent by a company. The company said according to its recent survey that nearly half of Fortune 1000 companies lack comprehensive internal regulations for CAN-SPAM compliance.
The CAN-SPAM Act, which was signed into law in 2003 and went into effect on January 1, 2004, requires that unsolicited commercial email include a valid postal address as well as an accurate sender address and subject line. Compliance with the CAN-SPAM Act has fluctuated in the past six months, but has stayed below 5 percent. The law has been used by law enforcement to go after spammers and this year there have been a few examples of mass emailers being prosecuted for violation of the Act. Since compliance is still at low levels, email recipients have been using a wide variety of tools to block spam, including commercial filtering applications and appliances and keyword filtering.
Company-own actions to fight spam and pishing
At the recent international spam enforcement meeting in London, UK Office of Fair Trading chairman John Vickers said spam is not just annoying and intrusive. “It gets in the way of legitimate e-commerce and is often a vehicle for scams and computer viruses,” he said. “International collaboration by enforcement agencies, the efforts of the computer and communications industries, and smart consumers are all needed to combat the internet scammers.”
Furthermore, various vendors are taking their own actions, which range from lawsuits to building extensive internal policies around this issue. For example, USBank, Wells Fargo Bank, eBay and PayPal and Citibank have initiated anti-phishing programs that include educating the consumer about phishing and/or have a special section of the site devoted to helping customers avoid fraud. Microsoft and Amazon.com recently filed several lawsuits against phishers and spammers they claim spooked the companies’ web sites and domain names to commit fraud on the Internet.
Sophos security analyst Gregg Mastoras said specifically for phishing attacks there is concern that this type of criminal activity will create the perception that the web is not a safe place for commerce. “So companies such as Amazon whose business model is predicated on the web is sending two messages,” he said. “One to consumers, that you are safe with us because we are being proactive about security and one to the phishers, we will prosecute you if we are targeted.” This action by companies is a critical part of what needs to be done, Mastoras said, adding better legislation is another part of the story.
Protecting users from criminals
He emphasized the US House of representatives just passed an anti-spyware bill unanimously to protect users from criminals who aim to spy and steal information. The Internet Spyware Prevention Act would authorize the appropriation of $10 million to the US Justice Department annually for the next four years for prosecutions to discourage the use of spyware and phishing. “The third part of the story is technology, deployed and used effectively,” Mastoras said. “And finally the education of users is virtual.”
In the UK, IT minister Mike O’Brien talked about phishing at the Labour Party conference in October. O’Brien said the government is anxious to work with industry, users and key groups to find ways of addressing the issues. “The Information Commission can be more effective,” he said. “We are reviewing the powers of the Information Commission particularly regarding enforcement and investigation.” According to O’Brien, the memo of understanding on international collaboration between the US, UK and Australia that the Parliamentary antispam group achieved in September is a good first step to starting cooperation.
What’s more, Canada Deputy Prime Minister Anne McLellan and US Attorney General John Ashcroft met on October 22 at a joint cross-border crime forum to develop joint solutions to common cross-border crime issues. The two released a joint threat assessment on identity theft and a public advisory on phishing. Both countries intend to work together to alert the public to such dangers and work on the collaboration among Canadian and American law enforcement agencies.
According to Dave Jevans, chairman, Anti-Phishing Working Group, various European countries have passed anti-spam laws, and the OECD is actively holding meetings to discuss anti-spam strategies. “Part of this naturally focuses on Phishing,” he said. “To my knowledge, there are no anti-Phishing specific laws in Europe. Usually Phishing is a crime that is prosecutable under identity theft, bank fraud, credit card fraud or money laundering laws.” Jevans emphasized in the UK, the National High Tech Crime Unit has been quite successful in arresting a number of phishing gangs and they are also working with the authorities in other countries such as Russia to have special visas to be able to enter the country and make arrests in a timely fashion.