Who's phishing for your students?

I was recently quoted on C|Net by Joris Evers in Neighborhood watch for phishing regarding a grassroots effort to stamp out phishing sites as quickly as possible by notifying the owners of the servers being used for such activity.  The point I made was that it is naive for 100 volunteers to believe that they could really make a difference by successfully thwarting the efforts of dishonest people to steal the money or identities of the unsuspecting.

I was recently quoted on C|Net by Joris Evers in Neighborhood watch for phishing regarding a grassroots effort to stamp out phishing sites as quickly as possible by notifying the owners of the servers being used for such activity.  The point I made was that it is naive for 100 volunteers to believe that they could really make a difference by successfully thwarting the efforts of dishonest people to steal the money or identities of the unsuspecting. 

From my experience, college students are prime targets for phishing -- whereby one receives unsolicited e-mail (presumably) from their bank (or whomever) asking them to follow a link provided and to enter their personal information (such as account number, Social Security Number, or password). 

Why are college students prime targets for phishing attacks?  Largely because they are exceedingly trusting.  They are also inexperienced.  Most college students are away from home for the first time and are anxious to expand their horizons.  Some have brand new credit cards, some are carrying their parents' credit cards.  They perceive themselves as invincible and savvy in the ways of the world.  Little do they realize that the Internet is full of anonymous predators.  Sure, they've all been warned about the dangers of chat rooms and 'dirty-old-men' looking for pre-teens to molest but how many have ever received an official-looking e-mail from some multi-national corporation looking for account information?  Sometimes these e-mails actually appear to be coming from someone at their institution -- giving the e-mail that much more credibility.  How many have been told what to look out for when reading such e-mails? 

What can college IT administrators do about this problem?  Unfortunately, not a lot.  There are a few things though that can help protect your students:   

  • Today, many larger institutions have SPAM filters on their mail relays.  These tools look for telltale signs of SPAM and dump that e-mail into a holding space.  Then, each day they send the student an e-mail listing the headers for each 'questionable' e-mail -- along with a weighting to indicate how likely these are to be SPAM.  After so many days, unclaimed SPAM is considered unwanted and deleted.  These tools are reasonably reliable but, because they are dependent upon certain characteristics of all SPAM, they tend to experience false positives as well as false negatives.  If the filters themselves are not updated regularly, the changing nature of SPAM soon makes them ineffective. 
  • In order to address the problem of mail spoofing, colleges and universities are implementing port blocks on their mail-relays which prevent someone from outside their network from using the university's mail relays.  This requires all e-mail from the university's domain to originate from within the university's network.  Off-campus students must then connect to their university e-mail accounts via VPN, or via web-based e-mail clients.  This may not completely eliminate the ability to spoof e-mail identities but it makes it harder to hide the underlying identity of the sender who is using your mail relays.
  • Requiring authentication before students can send e-mail using your mail relays further insures that no matter where the e-mail says it was from, you know the account used to authorize the sending of that e-mail.
  • Firewalls should be in place, both in your machine room and at the perimeter of your campus.  Blocking inappropriate traffic from your campus and your machine room prevents unauthorized personnel from accessing your servers. 
  • Require all users to be authenticated before using your network.  This won't stop phishing attacks but it will keep those who might use your resources for phishing attacks off your campus network.

Ultimately education is the best defense against phishing.  Make sure your students know about phishing and that they know how to recognize it and how to avoid being duped by these unscrupulous people. 

Make sure your students have guidelines for n'etique on your campus and that they acknowledge with their signatures that they understand their rights and responsibilities while using your network. 

How do we stop phishing?  There is plenty of legislation which makes phishing a crime.  After all, before a penny is stolen, it is fraudulent to represent yourself as someone that you are not.  The problem is identifying the perpetrator and figuring out in what jurisdiction the fraudulent activity is taking place.  Once that can be determined, prosecuting the offender is straightforward in most jurisdictions around the world.  But there is the rub ...

While walking down the street we are surrounded by strangers.  Yet, while we may not know their name, or anything else about them, that is the extent of their anonymity.  We are a witness to their behavior and their physical attributes.  They leave clues all about them as to who they are and the authorities have the resources to track down their whereabouts.  Establishing probable cause from those who witness their actions leaves the authorities ample leeway to gain the necessary search warrants to close the case and prosecute the perpetrators of the crime.  But ...

With phishing, there are no witnesses -- just the victim.  The evidence is a legitimate-looking e-mail.  We can track down the mail-relays it travelled through and the server hosting the bogus web-site but the jurisdiction of the victim my be unrelated to the jurisdiction of either the mail-relay or that of the hosting website.  So whose laws apply? 

Finally, the perpetrator may have signed up for a free e-mail account and free web-hosting from a publicly accessible workstation pretty much anywhere in the world.  Tracing down the systems involved and working with authorities to gain access to local law-enforcement resources takes time and, without a suspect, or even the jurisdiction of the suspect, pinning down the perpetrator is all but impossible. 

Sure, it is just as easy for someone to use the post office or a telephone to commit a crime anonymously but in order for them to steal someone's money or identity, they must make personal contact with the victim.  This places each within clearly defined jurisdictions.  This is simply not the case on the Internet. 

Until the technical means exists to determine the identity of a perpetrator of a phishing scam, as well as their jurisdiction, the most vulnerable among us will continue to fall victim to this kind of crime, and our governmental agencies will continue to circumvent the law by snooping on innocent people while looking for anonymous perpetrators of anonymous crimes with potentially anonymous victims.