AU phishing scams to get worse

Online fraudsters are getting smarter and the current round of "phishing scams" may just be the start, according Australian High Tech Crime Centre (AHTCC) head Alastair MacGibbon. "Phishing" scams are highlighted by MacGibbon as an area of grave concern.

Online fraudsters are getting smarter and the current round of "phishing scams" may just be the start, according Australian High Tech Crime Centre (AHTCC) head Alastair MacGibbon.

"Phishing" scams are highlighted by MacGibbon as an area of grave concern. Phishing is a simple type of fraud -- a scammer sends out a spam e-mail which purports to come from an institution such as a bank. The e-mail invariably asks the recipient to click on a link in the e-mail and re-enter their username and password. The site is of course a fake -- the link in the e-mail re-directs the victim to a site controlled by the fraudsters. It's a type of scam that's likely to get worse before it gets better, MacGibbon said.

"The phishing scams against the banks illustrate the potential for this type of crime across all types of online commerce," MacGibbon told ZDNet Australia. "This is a growing crime type. We've seen it across a range of institutions. It would be naive to think that this won't spread."

Banks do not solicit requests to their customers for their log-in information; however other forms of e-commerce may solicit transactions through newsletters. For example, airlines may advertise special deals by way of a subscribed newsletter. Fraudsters mimicking newsletters such as these, and offering fake air deals too good to resist -- such as Sydney to Melbourne for AU$20 -- may be more difficult to spot as fakes and more successful in tricking recipients -- largely due to e-mail solicitations being a normal part of the online business process for that industry sector.

"It does raise some questions as to how we conduct business online," MacGibbon said.

The scams are becoming serious enough for consumer choice to play a part in stamping out phishing scams, MacGibbon argues. "They might start choosing businesses that offer them [an] increased level of security," he said.

The introduction of a two-way verification process may help to mitigate these types of scams, MacGibbon said. Every time a user enters their log-in name the bank's Web-site, the system can display a pass-phrase given to the institution by the customer -- something easy to remember, such as "I like bananas in the morning" -- before they enter their password. By engaging in a two-way authentication process, not only is the bank verifying the authenticity of the customer's credentials, the bank is verifying itself to the user as well.

The AHTCC, which is staffed by law enforcement agents from seven different police forces, including the Australian Federal Police (AFP), is working closely with major Australian banks in minimising the impact of phishing and tracking down the criminals behind it. However, not everyone is impressed with the progress made to date.

Internet Industry Association (IIA) chief executive Peter Coroneos, speaking at the launch of an anti-phishing service from mail filtering company MessageLabs, told journalists he believed "the banks haven't done enough in Australia" to protect their customers against the scams.

Phishing scams, he said, can be perpetrated by "relatively unskilled" criminals, but the impact on the victims is severe -- the crime is therefore a very serious consumer issue. However the IIA chief remains optimistic about stamping out the crimes. Because there are clear-cut commercial reasons to attack phishers, the status-quo is likely to be challenged.

Unfortunately, people are getting away with phishing scams, MacGibbon said. While it's not possible to directly transfer money out of an Australian Internet banking account into accounts hosted offshore, the scammers will often approach an Australian bank account holder and seek their cooperation. They are told they will be paid simply for the use of their account -- stolen funds are transferred into the collaborators' account, withdrawn by the real account holder and sent to the scammers through wire services such as Western Union. The account holder is paid a commission on the stolen funds, but may not know they've been assisting criminals in perpetrating a phishing scam.

AusCERT general manager Graham Ingram, speaking at the same event, agrees with MacGibbon -- phishers are getting smarter and "learning from their mistakes". He said it's difficult to minimise the impact of phishing scams when the fake sites are hosted in countries which are slow to cooperate with Australian law enforcement agencies and AusCERT.

"One of the most difficult parts... is closing them down," he said. "All the servers that we've dealt with have been compromised machines," he added.

A case in point occurred earlier this week when a phishing e-mail hit in-boxes on Monday. The link in the e-mail directed recipients to a fake Commonwealth Bank Web-site. That site was still active on Thursday, giving the fraudsters a four day window to collect usernames and passwords. That site has now been removed. However, another scam targeting Commonwealth customers has popped up today.