First, the good news: e-businesses have moved quickly to combat phishers, consumers are learning to be more discerning, and vendors are stepping up with anti-phish tools and services.
Now the bad news: Phishing exploits continue to increase at an alarming rate. There were only 198 phish sites in January 2004; there were 2,625 in February 2005, according to the Anti-Phishing Working Group. The number of unique phish e-mails hit a whopping 13,141 in February, and Symantec reports that its Brightmail spam filters blocked an average of 33 million phishing attempts per week in December, up from an average of 9 million in July.
But the sheer volume of phish attacks is only part of the problem. Phishers have become more sophisticated, using "phishing without a lure'' techniques, such as pharming, spear phishing, Google phishing and Wi-phishing, to reel into customer account information without the customer ever entering personal account information on a fake Web site.
In fact, Symantec says hackers seem to be shifting their focus from taking down Web sites to gaining access to confidential information. Between July and December, malicious code created to expose confidential data represented 54 percent of the top 50 malicious code samples Symantec received, up from 44 percent in the first half of 2004 and 36 percent in the second half of 2003.
And phishers are expanding their list of targets beyond major banks to a seemingly unlimited number of smaller financial institutions and other e-commerce sites. "There is a cyclical pattern,'' says Mark Schull, president and CEO of online fraud fighting company MarkMonitor. Phishers hit Bank A. Bank A fights back. Phishers move on to Bank B, but then, armed with ever more sophisticated tools, circle around and hit Bank A again a few months later.
Even though experts say a smaller percentage of consumers is falling for phishes these days, the dollar damage from online bank fraud is significant. A recent survey by the Ponemon Institute said that 2 percent of people surveyed had lost money, and the study estimated that consumers lost US$500 million to phishers in 2004. Even more troubling, the survey of 1,335 people reported that 70 percent of respondents had visited a fake site, and 15 percent said they had parted with private data.
Even more troubling for online merchants is the psychological impact. In a study of 655 consumers by fraud prevention service Cyota, more than half said they were afraid to do online commerce because of phishing concerns. And a Symantec study showed that nearly one-third of respondents said they would not do online banking because of phish fears.
"If you're a financial institution who sees that e-banking is critical to revenue growth, and you hear that 31.5 percent of your prospective online customers won't use e-banking, you've got to take some steps to change that,'' says Kim Legelis, director of banking and financial services solutions at Symantec.
"Phishing has been pretty top of mind for me over the past eight months,'' says Brad Nightengale, vice president of emerging products at Visa. He says Visa has been hit with its "fair share of phishing attacks'' and has responded in a number of ways, including the creation of a phishing e-mail box where customers can send phishes to be analyzed. Visa has joined an anti-phish reporting network. And it has aggressively moved against phish sites by contacting the ISP used by the phisher and getting the site shut down - often within three hours of detection.
Nightengale says that while Visa believes it has phishing "well under control'' in terms of actual consumer fraud, there is the larger worry. "One of the reasons we're so concerned is that we believe consumers may perceive the online environment as exceedingly risky," he says. And that perception could curb online spending, even though studies have shown that the vast majority of identity theft occurs offline, he says.
"Phishing is more an attack on brand identity than on consumers," says Dave Cullinane, chief information security officer at Washington Mutual in Seattle, which started seeing attacks against its brand in October. "Phishers are trying to take advantage of confusion, and they're very good at the social engineering [deception] aspect of getting people to give up things they shouldn't."
Like Visa, Washington Mutual has responded by launching a consumer education campaign, sharing attack trends and technologies with industry associations, and hiring a brand protection service to close down phishers as quickly as possible.
But this level of effort is mostly reactive. The Financial Services Technology Consortium, a group formed last year specifically to fight phishing, strongly advocates preventive measures, including two-factor authentication - sooner rather than later - to validate everything a customer sees or touches online.
Who are you?
Not surprisingly, vendors have stepped up to offer authentication schemes. The problem is that most online consumers simply won't climb the learning curve needed to manage multiple authentication methods, nor will they keep racks of tokens and stacks of cards to conduct e-business, contend Cullinane and others.
This is why early deployments of two-factor consumer authentication are seeing limited acceptance. AOL in September launched its PassCode Premium Service using RSA Security SecurID tokens for a one-time cost of $9.95 per token and $2 to $5 per month, depending on number of users it supports. Despite the potential to stave off identity theft, adoption rates are slow, says Tatiana Platt, AOL's chief trust officer.
Currently, AOL offers the tokens to protect only AOL account logons. Ideally, the tokens would authenticate AOL users to AOL merchant partners. The problem is the systems aren't compatible, Platt says, although she adds that over time technology like this will be widely adopted and integrated, particularly among financial institutions.
Leading the way are overseas banks - primarily in Africa, Asia and Europe, according to authentication vendors. And they, too, are finding only partial acceptance.
"A second level of authentication certainly protects consumers from getting phished because phishers can't capture and re-use the one-time generated password," says Roland Le Sueur, head of Internet banking at First National Bank of South Africa (FSBA) in Johannesburg, which began offering its customers ActivCard tokens just over a year ago.
So far, only 12 percent of FSBA's online banking customers use the tokens, according to Le Sueur. He says he suspects this slow adoption is partly because of complacency. (Not to mention the tokens cost consumers the equivalent of $30.) So FSBA is responding with a national radio, TV and print blitz called "national online security week." Le Sueur adds, "Hopefully from this campaign, we'll get more people interested in using the tokens."
Newer, simpler challenge-response methods could make the user experience easier and therefore more widely accepted. Entrust in October announced its IdentityGuard system. At logon, users are prompted for three numeric grid points on pre-issued cards.
LyfeCard in Phoenix, which issues bank cards and e-wallet applications to people with poor credit ratings, uses two-factor, two-channel authentication by StrikeForce called ProtectID that calls the user on a pre-designated phone number and asks for the pass code.
In this case, the pass code actually is a series of questions culled from database information to which only the customer would know the answer. The ProtectID system, which cost $80,000, also includes 256-bit keyboard-to-database encryption to thwart keystroke loggers.
"Multi-factor authentication drives product costs higher, but it's necessary because of all the ID theft going on," says LyfeCard CEO Michael Austin. "Unless you protect your products and services in a fashion that eliminates that threat, you're not going to stay in business. Not to mention you open yourself up to lawsuits."
Where are you from?
Two-factor authentication will prevent phishers from accessing user accounts if they happen to fall for a phish. But that still doesn't authenticate an online brand to the user. And already, the e-mail channel is so untrusted that 70 percent of the Cyota survey participants said they are less likely to respond to e-mail from their banks because of fears of phishing.
Fortunately, there are emerging e-mail authentication standards such as Sender ID. According to Microsoft, 750,000 domains already publish their Secure Policy Framework (SPF) records, something spammers and phishers couldn't get around because the SPF records wouldn't resolve against their phony return addresses. During its vetting of the standard, Microsoft's Hotmail has caught about 3.2 billion spam messages per day.
The Email Service Provider Coalition has endorsed Sender ID. It is being implemented in third-party products, such as CipherTrust's IronMail, specifically to reduce phishing and other forms of fraud. And ISPs such as AOL are ready to support Sender ID.
"Once the SPF standard is more fully implemented, you'll be able to tell if an e-mail claims to be from a legitimate site or not," AOL's Platt says. "If it's not coming from a legitimate banking site, we'll be able to block it from ever getting to our members."
Meanwhile, some large brands are developing proprietary e-mail systems to communicate directly with their customers. AOL uses a spoof-proof "chrome" mail that has a different look and feel than mail sent from outside the AOL mail system. Because it's not coded in HTML, the ice blue envelope, dark blue pane around the letter and the "Official AOL Mail" logo cannot be forged, Platt says.
And in December, eBay rolled out the first phase of an internal messaging system that can only be read by users logged on to their eBay accounts. A source at eBay says that the system is designed to wean customers away from collecting eBay communications in their general e-mail accounts so that they will ultimately only communicate with eBay through the proprietary eBay system.
Another trend is that consumers are taking e-mail authentication upon themselves. For example, they're embracing EarthLink's spamBlocker, which challenges incoming mail from addresses that aren't in the users' address books by sending an e-mail to the sender asking for a reply. Until the reply is received and the recipient approves it, the original mail is held in a "suspect mail" folder.
A system like this called ChoiceMail by DigiPortal Software killed 99 percent of the spam problem at Taylor Guitars. In so doing, it removes the primary vector phishers use to lure their victims, says Bret Houston, IS manager at Taylor Guitars.
"Most spammers, particularly phishers, don't give legitimate return e-mail addresses, so they're not sitting around waiting to reply," adds Houston, who uses the ChoiceMail challenge response for 50 of the company's 150 employees. (DigitPortal also offers a free program to home users.)
While businesses and consumers are finding more options for authenticating e-mail, proving the legitimacy of a Web site is harder to do. But because browser redirects and Web address spoofing are being used in phishing, businesses will need to look for ways to prove to their customers that their sites are legitimate.
One company, PassMark Security, offers two-way authentication that relies on unique pictures issued to customers that can be used to validate Web sites at the logon pane. For example, a user is issued a picture of a sunset or a pine forest, and when the user gets to the logon screen, he is prompted with the same picture to identify that the site is legitimate. PassMark also offers this for e-mail authentication.
The other option is authenticating that a site is not legitimate. This requires users to put fraud-detection toolbars on their browsers, which use blacklists to show users when they're on a suspected fraudulent site. AOL, eBay and EarthLink offer such toolbars to their users. And so do third-party browser plug-ins such as SpoofStick and FraudEliminator. Third-party products also weed out phony Web addresses by looking for misspelled URLs, Web address overlays, IP addresses and other telltale signs of a spoofed URL.
When bad things happen
When phishes do happen, brands need to report the frauds to their consumers in order to protect them.
When phishers forged the UCLA Credit Union brand in February, Steve Sercu, vice president of information services, published an article in the college newspaper paper, the Daily Bruin, to warn his 40,000 customers about the scam and educate them about phishing. When Banknorth in Portland, Maine, was phished in January, it sent out an
e-mail to its customers alerting them to the text of the phish, how to report it, and highlighted, in bold, that Banknorth would never ask for account numbers, PINs, passwords or other personal information via e-mail.
It's not just customers who need to be alerted of a phish. Washington Mutual's Cullinane says you must also alert the call center so staff know what the customers are talking about and can inform them accordingly when calls inevitably start pouring in.
"What it boils down to is eternal vigilance on our parts," says Doug Johnson, senior policy analyst at the American Bankers Association. "We need to do everything we can to prevent the erosion of customer confidence and make users comfortable with the environment."
Hooking a phisher
A week after the Dec. 26 tsunami decimated the coast of Indonesia, phishers were using the crisis to try to steal money and account information from people wanting to donate to the cause.
"We started to see fake tsunami sites go up shortly after the disaster happened," says Dan Larkin, director of the FBI's Internet Crime Complaint Center (ICCC).
Often, federal agencies don't get involved until a high-dollar threshold - $50,000 - is reached. But in this case, FBI agents sprung to action before the phishers could inflict that level of damage.
First, the ICCC moved to contain the damage by issuing a national scam warning, which was picked up by major media outlets and posted on the sites of legitimate aid organizations.
Meanwhile, Mercy Corps, an aid organization that was being spoofed, had sent the FBI what information it could on a phisher who'd spammed 800,000 people with a mirror-image aid scam hyperlinking Mercy's logos, art and tsunami footage directly from Mercy's legitimate site. The phish also linked to a PayPal account where the fraudster collected donations.
Tracking the IP address of the phish site usually leads to false positives, open proxies or bounces off compromised networks (also called botnets). So agents decided to follow the money.
"The criminal was reasonably savvy in setting up phish sites," Larkin says. "So the first thing we did was embed a message in the images he'd hyperlinked from Mercy saying 'This is a fraud site,' so people wouldn't fall for it. Then we called PayPal and provided them with the paperwork they needed to see this guy was operating a fraud."
Using PayPal's logs and registration information, agents tracked the fraudster to an anonymous Hotmail account. Microsoft and PayPal logs placed the fraudster in Pittsburgh with Comcast as his ISP.
To issue a warrant, the ICCC needed irrefutable proof that the suspect was actually operating the criminal site. So they appealed to Comcast, which also opened its logs to show that, yes, this user from this IP address logged in and out of the sites on these particular days. That was enough to issue a search warrant for Matthew Schmeider, 25, an unemployed painter from Pittsburgh.
Just three days after launching the investigation, the FBI seized Schmeider's computer and got him off the Internet before Schmeider could do any major damage. Schmeider's total take? A mere $150. He has been charged with fraud.
This case is an example of the level of partnership forming between the FBI and private companies, says Howard Schmidt, former chief security strategist for eBay and former White House cyber security adviser.
Those private/public efforts have led to the creation of the Digital Phishnet, a joint effort announced in February at the RSA Conference to report, thwart and bring online criminals to justice.
"The value of the resources the private sector has is phenomenal. They can help us identify anomalies, new attack methods and ways criminals and spammers are getting around defenses and filters," says Larkin, who helped rewrite the FBI's cybercrime mission just after Sept. 11 to redefine public/private sector relationships.
In return for private sector cooperation, the aggregated information shows members the new ways phishers conduct their attacks, register and park their fraudulent sites and trick spam filters to deliver their phishes (such as in January, when the ICCC detected phish spams going through Port 87 to get around filters on Port 80).
"What we need to do is move quickly and follow the trail while it's hot. These partnerships help us accomplish that," Larkin adds . "And it's an appropriate message to their customers that they [online brands] are going the extra yard to protect their customers by pooling their resources."
Phisher's tacklebox
Phishers are becoming sneakier, more organized and more adept at bypassing filters. They use a range of malware including worms, viruses and spyware to get at confidential data even when their victims don't follow a link and cough up the information. And they're taking advantage of a host of Web site and DNS vulnerabilities to phish directly from trusted sites. Here's how they do it and how to combat it:
Pharming
How it works: Hackers hit DNS servers to redirect visitors from legitimate sites to phish sites. Reports surfaced in January that DNS poisoning was used to redirect Google and Amazon users to a pharmacy site. Solution: Lock down DNS and authenticate Web sites to users.
Spear phishing
How it works: Phishers load keystroke loggers onto victim machines through e-mail preview panels, instant messages, pop-ups or compromised Web sites. The keystroke loggers activate when certain keywords are typed into the browser. Solution: Encourage customers to keep anti-spyware, firewalls and anti-virus filters up to date. Teach them not to click on pop-ups or links in IM. Review Web applications for vulnerabilities.
Google phishing
How it works: Phishers use search engines to drive traffic to illegitimate sites. Solution: Investigate misuse of your brand and get Web sites to shut down as soon as possible.Register all iterations of your domain name so phishers can't use them.
Ineffective spam filters
How it works: Phishers are using atypical calls and services to sneak past filters. Solution: Keep up to date on the latest techniques used by phishing spammers. Set spam filters accordingly.
Spoofing Web addresses
How it works: Phishers are exploiting browser vulnerabilities and new international characters approved by the Internet Corporation for Assigned Names and Numbers International Domain Name Standard. Solution: Develop Web services that accept other browsers besides Internet Explorer (the most vulnerable to spoofing). Encourage users to patch browsers as soon as security alerts are issued.
Wi-phishing
How it works: The drive-by collection of password and account information. Solution: Encourage users to turn on wireless encryption in their home networks and to turn off Bluetooth when cell phones are not in use.