E-Mailers Beware: Phishers Never Sleep
Mar 27, 2008 4:00 AM PT
Can you recall the five worst phishing scams to grace your e-mail in-box? Can you spot a genuine e-mail from your financial institution or government agency?
Don't feel too technologically challenged if your answer is no to either -- or both -- of these questions. Even security experts are hard-pressed to choose the worst phishing scams. Prize-winning phishing scams are not usually tracked by security experts the way computer viruses are.
Unlike most computer virus attacks, phishing attacks are much more subtle -- and they can't be identified, blocked and removed with anti-intrusion software such as antivirus and antispyware products.
Phishers count on unwary e-mail recipients to react to their urgent requests for information confirmation. Cleverly concocted phishing messages trick recipients into letting down their guard by going to look-alike Web sites in response to legitimate-looking messages.
The goal is to get people to willingly give away their personal identities. Consumers who take this bait unwittingly make themselves victims of identity theft, by entering vital personal information that enables cyber-thieves to steal passwords and account numbers.
"We don't see lots of innovation with phishing attacks. Most attacks are fairly similar with graphic images that look like the original Web site. We do see some fairly good graphics imitations and some message sophistication, however," Paul Piccard, director of threat research at Webroot, told TechNewsWorld.
By definition, "phishing" a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly. When users respond with the requested information -- say user names, passwords and account numbers -- attackers can use it to gain access to their accounts.
Phishing is based on long-established forms of social engineering. Most phishing schemes use messages delivered in e-mail documents that look like they came from real companies or from valid electronic addresses. Some phishing attacks use malicious Web sites to solicit personal, often financial, information.
"When security firms first noticed the use of e-mail to snag unaware users into divulging their personal information, we called it 'cyber crime' and 'computer crime,'" Paula Greve, director of Web security research for Secure Computing, told TechNewsWorld.
In the early days of phishing, most messages were obvious scams. The use of poor grammar and awkward phrases were usually solid clues that the messages were phony, often originating in foreign lands, according to security experts. Even the most inexperienced computer users quickly learned to disregard such messages.
However, the steady stream of new e-mail users provides phishers with a constant supply of potential victims who still fall for the same old lines. Is there anyone who doesn't delete the sob-story appeal to help an errant foreign government official or lawyer move funds into an American bank? Well, yes. Suckers are still responding to the lure of promised commissions.
The really effective phishing attacks, though, target e-mail in-boxes for legitimate-sounding reasons. The latest scams address specific groups of corporate executives and would-be recipients of government tax refunds.
"Every time phishers go to a new level of effectiveness, they get there by showing new innovations," said Greve.
The phisher's intent is to snag victims before the media learns of the new methods. They aim to catch their prey unaware, Greve explained.
In 2005, DSW Show Warehouse, ChoicePoint and LexisNexis were the victims of high-profile identity thefts. Innovations in targeting message recipients raised these scams to a new level.
In the Spring of 2007, a sophisticated group of attackers targeted high-salaried workers at selective corporations in an attack that used e-mail disguised as messages from the Better Business Bureau (BBB), the Internal Revenue Service (IRS) and the Federal Trade Commission (FTC).
This year's tax season provides even more fodder for phishers to cash in on Americans with tax returns and refunds on their minds. Scammers are taking advantage of it with greater attention to message authenticity.
Phishers have drawn up elaborate forgeries almost exactly mimicking those of the real Internal Revenue Service Web site. These scam sites are hosted by domain name registrars operating in Russia and other former Soviet countries, according to Internet security experts.
The newest innovation surfaced in January 2008. A huge spike in attacks raised e-mail volume tenfold. All of the links involved in these attacks go to two or three phishing pages. If a recipient clicks on one of these links in an e-mail and then completes a form requesting personal and financial information, the site then redirects to the actual IRS Web site. That is unlike many similar scams.
"The IRS and BBB e-mails are two of the more memorable phishing attacks because they opened the phishing methods to a whole new area," said Greve.
Phishers often tap into the e-mail recipients' interest in current events, which makes their messages much more believable. Consider, for example, the current federal economic stimulus package.
"E-mails supposedly from the IRS urge recipients to get their refunds early by clicking a link in the e-mail. Consumers are duped into giving out their personal information under the guise of getting their refunds sooner," Brian Lapidus, chief operating officer of Kroll's Fraud Solutions, told TechNewsWorld.
This is a ripe time for the bad guys, Lapidus said, and they're getting incredibly savvy. "Tax fraud happens 12 months of the year. It is just more prevalent now."
Consumer Response Needed
There's no silver bullet to end the threat of phishers, but common sense and safe practices will go a long way toward keeping consumers from becoming the victims of phishing scams.
"Users need to become savvy about what they are clicking on," said Greve.
"Treat all information entered online as sensitive," she cautioned, "[including] how you store your account PINs (personal identification numbers). And always clear out your browser history."
Consumers also have to know how government agencies work. Limiting the type of personal information exposed on Facebook and MySpace pages also helps.
"Banks don't reach out over e-mail," said Greve.
"Consumers need to know this -- and the IRS doesn't know the e-mail accounts of taxpayers," she warned.
"More experienced computer users know there is no inherent trust in e-mail messages received from anybody," echoed Piccard.