Phishing: Spam that can’t be ignored

If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email.
Written by David Berlind, Inactive

If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email. Whereas all spam is not a scam, all attempts at phishing are scams, and the potential losses to corporations and consumers alike is stunning.

Phishing, as the name implies, is when spam is used as means to “fish” for the credentials that are necessary to access and manipulate financial accounts. Invariably, the e-mail will ask the recipient for an account number and the related password using an explanation that their records need updating or a security procedure is being changed that requires confirming an account. Unsuspecting e-mail recipients that supply the information don’t know it, but within hours or even minutes, unauthorized transactions will begin to appear on whatever account was compromised.

By now, most people know that giving this information away on the Internet is a no-no. With phishing, however, it’s almost impossible to tell that the e-mail is a fraud. Like spam, e-mail from phishers usually contains spoofed FROM or REPLY TO addresses to make the e-mail look as though it came from a legitimate company.

In addition to the spoofed credentials, the e-mail is usually HTML-based. To an undiscerning eye, the e-mail bears the authentic trademarks, logos, graphics, and URLs of the spoofed company. In many cases, the HTML page is coded to retrieve and use the actual graphics of the site being spoofed. Most of the phishing I’ve received pretends to come from PayPal and contains plainly visible URLs that make it look as though clicking on them will take me to PayPal’s domain. Upon quick examination of the HTML tags behind the authentic looking link, the actual URL turns out to be an unrecognizable and cryptic looking IP address rather than an actual page within PayPal’s domain.

PayPal, the payment subsidiary of EBay, is a common target of phishing. If you get one and you’ve never joined PayPal, then you obviously know it’s a fraud. But if you are a PayPal member, as I am, the phisher has at that point broken through the unofficial security-by-obscurity layer that once protected you. It not difficult to see how PayPal members could be victimized by this technique.

According to Antiphishing Working Group Chairman David Jevans, PayPal isn’t the only target of phishers. “In about 35 percent of all reported phishing attacks, Ebay’s PayPal service is the biggest victim. But just about any financial institution, credit card issuer, retailer, or other business can be targeted. UK-based NatWest was phished badly in October 2003 and then even worse in December. The December attack was so bad that NatWest had to take down its site. Visa was another organization that was targeted over the holidays.”

At first blush, phishing appears to be sort of buyer-beware consumer issue since the e-mails themselves are prospecting for potential account holders to the spoofed institutions. Indeed, depending on the spoofed institution’s policies, a consumer could end up eating a loss. “So far,” said Jevans, “most of the transgressions against individuals have been in the hundreds of dollars because smaller transactions will sometimes go unnoticed for a while. But they go higher. The largest one on record so far is for $16,000. If the credentials obtained by a phisher are for a credit card account, then the risk is usually absorbed by either card issuer or a merchant.” This is when the hard dollar cost of phishing, which Jevans considers a form of identity theft, begins to be recognized by corporations and businesses instead of individuals.

However, the financial risk that’s connected with each credit card transaction isn’t the only hard dollar cost to corporations. “In most cases so far, as a matter of good customer relations,” said Jevans, “where a customer has experienced a loss as a result of phishing, the spoofed institution has made them whole even if their policies don’t expressly guarantee that treatment. As evidence of how this cost is hitting the bottom line, several Australian banks have set aside a $2 million fund just to cover any losses associated with phishing.”

Jevans cited other areas of loss as well. “When NatWest had to shut its site down, it incurred the added expense of setting up and manning a phone number that customers could call. In situations like that, dissatisfied customers that have to wait a long time on jammed phone lines might take their business elsewhere,” Jevans said.

According to Jevans, another unexpected cost could arise after a large number of accounts are successfully phished. Jevans said the cost to issue new credit cards, accounts and passwords is about $50 to $60 per user. “You can see how the costs can quickly escalate if 2000 accounts are compromised. Not only that, once a phisher has succeeded with a particular institution, the trust chain--especially in e-mail--is broken. So, it makes it much more difficult for the institution to maintain a relationship via e-mail with its customers.”

Liability is yet another area of concern for organizations that are spoofed. Jevans said that one of the Anti-Phishing Working Group’s members is being sued by customers whose accounts were successfully phished. Whether the plaintiffs will get anywhere could be the topic for an entire column, but regardless of whether a company wins or loses such a case against its customers, it still must bear the legal costs. The spoofee may not be the only target of such a lawsuit. In an effort to cover their tracks, many phishers will publish their web pages on Web servers that they’ve hacked into, unbeknownst to the operators of those Web servers. Under these circumstances, it’s entirely possible that the operator of the hacked Web server could be sued on the grounds of negligence through lax security as well.

While businesses everywhere are staring down the barrels of phishers’ shotguns, they’re also trying to figure out how to put a stop to it. As with spam, the solutions are primarily technological, legal, and social. The biggest priority currently is to deal with the major phishing attempts as reports of them surface. Obviously, the first order of business is disable the offending page. “Depending on the situation,” Jevan said, “this could require any number of techniques. For example, if the phisher published the page by hacking into a legitimate server, you can’t just go and shut that server down or have all the paths to it cut off by the ISPs. In some situations, that’s what you need to do, but in others you have to work with the operator of the server to remove the offending page.”

Jevans warns that even the most proactive of responses to a phishing report may not be sufficient. “It can take anywhere from 19 hours to 6 ½ days before a site or a Web page is cut off,” said Jevans. “It takes longer when the sites are located overseas and increasingly, more and more of these sites are showing up in Eastern Europe and Asia. Quite often, by the time something is shut down the damage is done.” Jevans noted that pilfered funds pass through temporary accounts and are eventually electronically shuffled to offshore accounts in a way that makes the money trail almost impossible to follow. “Regrettably, no phishers have been caught yet,” Jevans said.

Users can achieve some success in shutting down suspect pages. When I contacted EBay’s public relations department about one of the PayPal phishers that had come my way, the company asked me to file the report to the e-mail address spoof@ebay.com , where it collects all reports of this nature. About two weeks passed between the time when I first received the e-mail and when I finally forwarded the e-mail and its header to that address. During that entire time, the page remained active. Within 24 hours of filing the report, I received a reply from eBay confirming that the page was fraudulent and that the company had taken action. To no avail, I tried to return to the offending page with my browser. EBay obviously has some clout. When I asked for more details about its process for handling my report and whether EBay would try to track down the bad guys, the company refused to comment. According to Jevans, this is not uncommon. Although the Anti-Phishing Work Group has a blue-blooded membership consisting of major financial institutions and Fortune 500 companies, most of them would just as well assume not be mentioned in stories that have to do with phishing.

“On the technology front, since phishing is spam, the same tools to combat spam such as Web and e-mail filtering are one approach," Jevans said. “But we also recommend that companies regularly scan the DNS to see if domains with a close resemblance to their own are being registered. When Visa was targeted last month, the phisher used the domain visa-security.com. Also, banks are starting to digitally sign their e-mails, which in turn requires that end users be educated on how to discern between an e-mail that’s been legitimately signed and one that’s not.”

From a social perspective, education is key. For example, users need to be schooled on how to spot fraudulent mail and what to do about it. Whereas eBay has a process in place, other institutions may not. Jevans said anyone can file a phishing report at www.antiphishing.org.

Companies that are interested in developing an acute awareness of the phishing problem could benefit from joining antiphishing.org. The members share intelligence and ideas on how to deal with the problem. The organization is also associated with several other prominent industry working groups. Jevans said membership is open to businesses that pass the organization’s litmus test (to keep phishers from getting inside), and that its next confab is in New York City on January 29th.

Oh, and if you go, be sure to hang a sign on your office door that reads “Gone Phishin. ” At the very least, your co-workers will ask what it means and thus, the education process within your company can begin.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

Editorial standards