Phishing Grows in Severity, Sophistication

Phishing is one of the most significant threats to online consumers, and as the incidence of this type of fraud increases, so does the perpetrators' average take. Phishers who lucked out and lured several customers of a British bank into false communications recently made off with an average of 5,000 pounds sterling, or US$9,348, per phished account.

With every successful intrusion on consumers' financial identities, phishers also gain more financial resources which they can then use to invest in more programmers and technology to advance their sophistication in fraud.

Phishers may target tens of millions of online consumers, but they only need a tiny fraction of those users to bite for them to collect a handsome reward. And many more malicious e-mails, culled from ever-expanding data sources, are going out as the months pass, according to the Anti-Phishing Working Group.

Unfortunately, banks and other frequently phished organizations, as well as independent security developers, are moving more slowly to deter these attacks than the phishers are to commit them, said Peter Cassidy, secretary general of the group.

Many-Splendored Thing

Not long ago, phishing consisted only of a social engineering scam in which phishers spammed consumer e-mail accounts, positioning themselves as real-life banks. Half of these fake e-mails fell into spam filters employed by e-mail service providers, and another 35 percent got dumped by wise consumers.

The remaining 15 percent, however, arrived in the inboxes of consumers who were actually customers of the banks named by the phishers in their attacks. A smaller percentage of these messages were opened and acted upon by gullible recipients who clicked on links in the e-mails and entered their user names, passwords and other personal information the phisher requested on a phony bank login page.

Now phishers worldwide play an even sneakier game. They send e-mails offering content like sports scores or porn or daily jokes. These e-mails deliver their recipients to real Web sites that feature the advertised content, but the phishers use the visits to download key-logger programs, record keystrokes made on computers on which phishers have overridden the host files, or malware on consumer computers. In this way, they effectively take control of unwitting computer users' hardware so that when they visit their banks online, phishers literally cash in.

Cassidy called this "blended" or "hybrid" phishing because it combines the social engineering -- tricking e-mail accountholders into a communication based on a feigned relationship or a social invitiation -- with technical subterfuge, or the co-opting of private computers through the Internet.

"That combination is not wholesome," he said.

Heads in the Sand

Cassidy warned that banks need to be paying careful attention.

"When you're a bank, all you're really selling is trust, so you can't make it look like you're out of control of the solution," he told CRM Buyer.

"Everyone is aware that this is going on, but at the end of the day, the losses are so small that [banks] wipe the crocodile tears of their customers away and put the money back into their accounts," he said. "In terms of rational economics, they figure anything they spend [on security] would completely eclipse any losses from phishing. They don't want to go out with a solution that won't work in another six months or a year."

But that doesn't do much for trust, especially when consumers read about phishing attacks in the media. Richard Stiennon, vice president of threat research at Webroot Software Inc., the maker of Phish Net, an application for consumers that is in beta test now, predicted that all banks eventually will adopt biometrics, single-use security codes or smart card functionality being tested by a handful of security-savvy institutions now.

But they may wait until the last possible minute to implement these safety measures.

"Whenever cybercrime intersects with existing business models, they don't react until they're affected," he said. "Banks are the most guilty parties in not evaluating the risks well enough. ... There are technology solutions that the banks should be using."

Attacking eBay

While the most recent report from the Anti-Phishing Working Group -- results for the month of January 2005 -- show that 80 percent of phishing activity involves financial institutions, eBay (Nasdaq: EBAY) also ranks among the top five companies most frequently targeted by phishers.

EBay's problem stems from its prominence in the online world. With the scads of transactions that take place through the auction house and the virtual nature of all communications occurring through it, phishers can hardly pass the opportunity to scam sellers.

"EBay has over 20 million active users. That makes it one of the most likely targets. Citibank doesn't have that many online users even though it might have more accounts," said Stiennon.

The Anti-Phishing Working Group's Cassidy commended eBay for its security initiatives, however, and said, "eBay has been subject to this probably longer than anyone else and is doing a lot that's probably smarter than anyone else," he said. "It is way ahead of the world."

Understanding the Problem

"The message that really has to come across is that phishing is evolving," said Cassidy. "It's going to higher levels of automation that ultimately will not require any interaction from consumers at all."

Art Mannion, Internet security analyst with the CERT Coordination Center, a center for Internet security expertise at Carnegie Mellon University, agreed. "Phishing is not a technical problem," he said, referring to the hybrid of social scam artistry and sneaky arrests of hardware. "That's why it's uncontrolled. There aren't necessarily technological solutions for all human problems."