What is Phishing?
(pronounced fish´ing) (n.) The act of sending an e-mail to a user
falsely claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private information that will
be used for identity theft. The e-mail directs the user to visit a Web
site where they are asked to update personal information, such as
passwords and credit card, social security, and bank account numbers,
that the legitimate organization already has. The Web site, however, is
bogus and set up only to steal the user’s information. For example, 2003
saw the proliferation of a phishing scam in which users received e-mails
supposedly from eBay claiming that the user’s account was about to be
suspended unless he clicked on the provided link and updated the credit
card information that the genuine eBay already had. Because it is
relatively simple to make a Web site look like a legitimate
organizations site by mimicking the HTML code, the scam counted on
people being tricked into thinking they were actually being contacted by
eBay and were subsequently going to eBay’s site to update their account
information. By spamming large groups of people, the “phisher” counted
on the e-mail being read by a percentage of people who actually had
listed credit card numbers with eBay legitimately.
Phishing, also referred to as brand spoofing or carding, is a
variation on “fishing,” the idea being that bait is thrown out with the
hopes that while most will ignore the bait, some will be tempted into
biting.
Other forms: phish (v.) |
Phishing Scams:
A new breed of sophisticated e-mail attack that is difficult to
detect and defend against is further proof that cyber-criminals and scam
artists are getting more serious about their efforts to steal
information.
The new attack is an enhanced form of phishing, scams that are defined
as attempts to steal credit card data and other sensitive information
through social-engineering efforts. Phishing scams typically employ
phony e-mail messages that purport to come from banks or popular Web
sites such as eBay or PayPal. The messages try to lure recipients into
entering account information and passwords into bogus forms hosted on
malicious Web sites.
Scammers are now taking phishing to the next level. Instead of relying
on victims' gullibility, they are using technological tricks borrowed
from crackers and virus writers to exploit software vulnerabilities and
plant Trojans on compromised computers.
An example of this new approach is an e-mail message that began
circulating last week with the purpose of installing a Trojan known as
Sepuc. The e-mail has no subject line and no text in the body of the
message. When the user opens the message, code hidden in the e-mail
attempts to exploit a known vulnerability in Microsoft Corp.'s Internet
Explorer to force a download from a remote machine.
This file, in turn, downloads several other pieces of code and
eventually installs a Trojan capable of harvesting data from the PC and
sending it to a remote machine, experts say. The most worrisome aspect
of this attack is that, unlike previous scams, victims would likely have
no idea that they had done anything wrong.
"If it works successfully, it's just a blank e-mail, and you don't see
anything else. It's a whole new trend for this stuff," said Bill
Franklin, president of Zero Spam Network Corp., in Miami. Franklin has
been tracking the new attacks since receiving and thwarting such
malicious missives last week. "Having your account information
compromised and not knowing it is the scary part. This is the best thing
I've ever seen like this," he said.
Phishing is a relatively recent phenomenon, having popped up within the
past year. But it is becoming more popular with online criminals. In
September 2003, MessageLabs Inc., a New York-based e-mail security
company, saw 279 phishing-related e-mail messages. By March 2004, that
number had jumped to 215,643. Likewise, the Anti-Phishing Working Group,
a volunteer consortium that monitors online scams, reported that it
tracked 402 unique phishing scams in March 2004, an increase of 43
percent from February.
Most typical phishing e-mail messages are poorly constructed and rife
with misspelled words and, as such, are easily identifiable as fakes.
But the Sepuc attack and a more sophisticated new version of the eBay
scam, which also exploits an IE flaw to install a keystroke logger on
compromised PCs to steal user names and passwords, don't immediately
strike recipients as malicious.
Characteristics of new attacks:
- Use software vulnerabilities to force PCs to download code
- Install Trojans on compromised machines to gather data
- Harvest user names and passwords for distribution to attackers
- Compromise machines without user's knowledge
The increasing sophistication of the new attacks is not just the
result of criminals getting better at their craft; they're also starting
to cooperate with crackers and virus writers to swap ideas and methods.
"These worlds are starting to collide. The code behind these newer
attacks is very polished and, in some cases, even has comments in it,"
said Dan Maier, a member of the Anti-Phishing Working Group, in Redwood
City, Calif. "They're sharing code with crackers, using spamming
techniques. It's a scary combination."
Maier said he has also seen attacks recently in which users who click on
a link to a fraudulent Web site are redirected through several sites,
some of which attempt to load Trojans or back doors onto the users'
machines. So, even if the user is smart enough not to enter any personal
information into the Web form, his or her data still could be at risk,
said Maier, who also serves as director of product marketing at
Tumbleweed Communications Corp., a secure e-mail provider also in
Redwood City.
This fact is not lost on federal law enforcement officials, who have
made identity theft and phishing high priorities and are investigating
the new breed of attacks, sources say. The attacks also have gotten the
attention of banks and other financial institutions that end up dealing
with the after effects of the fraud that results from these scams.
"Their concern is more for their reputations than the actual financial
losses. They're dealing with people's trust here," said Eli Katz,
director of the active risk monitoring practice for Unisys Corp., based
in Blue Bell, Pa. "These organizations are walking a fine line with
phishing. They want people to be aware, but they don't want them to be
so paranoid that they stop doing business with them.
"The same concept used here could be used to fake any authority, like a
company's HR department," Katz said. "You could do a lot of damage with
something like that." |
