The recent sentencing of a Texas man was a notable victory for the U.S. government in its fight against a form of online fraud known as "phishing." But a recent surge in such scams highlights the need for more than customer education, with some computer security experts calling for major changes in the way sensitive information is exchanged online.
Zachary Keith Hill, 20, was sentenced to 46 months in prison after pleading guilty to defrauding America Online and PayPal customers with a sophisticated online phishing con, the U.S. Department of Justice says.
Hill admitted he fraudulently obtained credit card and bank account numbers and defrauded consumers of $50,000 in two phishing scams. The customers were fooled into providing the information after receiving e-mail messages from Hill containing links to Web pages that harvested personal information. The e-mail looked like official correspondence from the companies.
Low-Risk, High Reward?
Such scams proliferate because online criminals, including organized crime groups, enjoy relatively high success rates from phishing crimes, which rarely result in arrest, says Avivah Litan, vice president and research director at Gartner, which recently published a report on phishing.
"Criminals feel like it's a lucrative, low-risk crime. So what's the harm in trying?" she says "They're getting a 3 percent click-through, whereas the success rate with spam is just 1/2 percent."
"There's an incredible [return on investment]," says Susan Larson, vice president of global content at Surfcontrol, an e-mail filtering company. "Given the seriousness of the information [phishers] are gathering, it's very lucrative. These people wouldn't keep doing it if it wasn't."
Gartner estimates that 57 million U.S. Internet users have received fraudulent e-mail linked to phishing scams, and that 3 percent of them, or 1.7 million people, may have been tricked into divulging personal information.
Despite those figures, the successful prosecution of Hill was the first conviction of a phisher by the DOJ's Computer Crime and Intellectual Property section, according to Mark Mendelsohn, a trial attorney with the DOJ.
One reason for the shortage of phishing prosecutions may be the relative newness of the problem. The Gartner numbers were projected from a study of 5000 adult Internet users, which found that phishing attacks have become pervasive just in the last 12 months, accounting for 92 percent of the known or suspected attacks reported by study participants, Gartner says.
The Anti-Phishing Working Group (APWG) has also seen a steep increase in reports of phishing attacks in recent months. The industry group received more than 1100 reports of phishing scams in April, a 178 percent increase from the previous month, says Dan Maier, director of product marketing at Tumbleweed, and an APWG spokesperson.
Cara Samokar, a high school counselor in Somerville, Massachusetts, near Boston, is one of those statistics.
Samokar was recently taken for more than $2000 after she responded to an e-mail in early 2004 that warned of "fraudulent account" activity at EBay.
"It was very professional looking," Samokar says. Among other things, EBay's logo was displayed prominently and the wording of the e-mail was professional, right down to the legal disclaimer at the bottom of the message.
After following an embedded link in the message to a Web-based form, Samokar, who is in her early 20s and occasionally auctions items on EBay, entered her EBay user name and password, as well as the account number and personal identification number for a Connecticut bank account she uses.
Samokar thought nothing more about the message, until two months later, when she logged on to her online banking account to pay bills and noticed that her account balance was almost $2000 less than it should have been.
"It turns out some people in Amsterdam had made up dummy cards with my account information on them, then they went around to ATM machines, taking out money, $500 at a time," she says.
Samokar didn't recall receiving any warnings from eBay or her bank about such scams prior to receiving the deceptive e-mail, and so she didn't make a connection between the e-mail and the ATM thefts until an EBay customer service representative mentioned the phishing scam to her weeks later, she says.
On the Increase
EBay does not give out statistics on phishing scams, but the company has seen a "considerable increase" since the beginning of 2003, and particularly in the last couple months, says Hani Durzy, a company spokesperson.
Like other companies with targeted customers, EBay relies in large part on reports from users to identify new scams that use its name, or that of its PayPal division. Once it has identified a scam Web site, the company works with the ISP hosting the site to take it down.
Depending if the scam site is hosted inside or outside the U.S., it could be taken down almost instantly or stay up indefinitely, he says.
In fact, a whole new business in so-called "bulletproof" Web hosting has sprung up to keep phishers and other online scam artists in business, even after their ruse has been detected, Surfcontrol's Larson says.
"These are offshore hosting companies in places like Malaysia, India, and Turkey that basically say, 'We'll keep your site up, no matter what'," she says.
ISP EarthLink is expecting the number of phishing attacks using its name to double in coming months. Each of those attacks generates thousands of calls and e-mail messages to EarthLink's support staff, says Scott Mecredy, senior product manager at the company.
In recent months, the company has seen phishing scams shift from attacks created by novices--"kids with too much time on their hands"--to sophisticated cons that suggest the backing of professional and organized criminals, he says.
The latest generation of phisher scams use several methods to trick users, including pop-up graphics to mask the true Web URL of the phishing site and the installation of spyware and Trojan horse programs on victims' computers, Mecredy says.
Like many other companies grappling with the phishing problem, EBay and EarthLink are emphasizing the need for better user education and trying to increase customer awareness of the problem. EBay set up a Web page to help educate customers about fraud and phishing scams, Durzy says. EarthLink also posted information that helps customers spot phishing scams, Mecredy says.
Countless other companies with links to online commerce, including Visa International and digital certificate provider GeoTrust also have published lists of tips and advice for spotting phishing scams. Both companies tell customers to be suspicious of unsolicited e-mail requests for financial information or other personal data, and not to click on links within the unsolicited messages.
GeoTrust encourages consumers to look for the "padlock" symbol on Web pages when they enter sensitive information, which indicates that encryption is being used to protect information sent over the Internet. Most phishing sites do not use encryption, according to Neil Creighton, chief executive officer of GeoTrust.
More and more, companies affected by the phishing problem are also offering free software tools to help customers sniff out scams.
EBay introduced a feature in its Web browser toolbar, a small program that runs with a user's Web browser, that flashes red when the user visits a possible spoof site. The toolbar uses a database of spoof site URLs submitted by customers and is updated "fairly quickly," Durzy says.
Like EBay, Earthlink in April added a "scam blocker" feature to its Web browser toolbar that can spot and warn users about scam Web sites, Mecredy says.
The federal government also is taking phishing more seriously and other investigations of phishing scams are ongoing, says Chris Painter, deputy chief for computer crime at the DOJ's Computer Crime section.
Among other steps, the government is considering a large-scale move against phishers, with multiple lawsuits announced simultaneously, DOJ attorney Mendelsohn says. "You may see a general announcement to package [phisher investigations] together ... It's definitely one of the kinds of cases the DOJ is targeting," he says.
DOJ officials also hope that the comparatively long sentence given to Hill will deter others from setting up phishing scams, he says.
However, even stepped-up enforcement and better user education aren't likely to stop phishing attacks, which take advantage of many of the same structural weaknesses in the Internet as spam e-mail, viruses, and worms, experts agree.
"The phishing problem has a lot of intersection with other problems we look at, such as malicious code and spam," Mendelsohn says.
Widespread adoption of e-mail authentication technology would put a dent in phishing scams, which rely on faked sender (or "from") e-mail addresses to mimic legitimate business correspondence and trick recipients, says Maier of the APWG.
Microsoft's Caller ID technology and Yahoo's DomainKeys proposal are two attempts to jumpstart the introduction of user authentication across the Internet.
"Almost 100 percent of phishing attacks start with spam. If you stop spoofed e-mail, you stop a huge proportion of spam," he says.
Strong encryption of sensitive e-mail messages using PKI (public key encryption) would also help, but could ruin the experience of using e-mail, Mecredy says.
Beyond that, companies can choose from various secure e-mail or antispam providers including Tumbleweed, Sigaba, and Postini. PassMark Security offers technology to specifically address phishing scams, allowing customers to configure their online accounts so a unique thumbnail image appears on legitimate e-commerce Web pages, Litan says.
Coordination is also needed between ISPs, banks, and other stakeholders to stop the problem before it undermines confidence in online commerce, Litan and others says.
"The phishing problem is one that's really a collective issue--something that the Internet community as a whole should solve," says Litan.