While antivirus software has been doing much to reclaim the Internet for ordinary people, fears of identity theft through phishing and pharming scams continue prevent many from conducting business online. Retailers, banks and software developers all have a vested interest in making the Internet a safe place to do business but ultimately the responsibility lies with ordinary consumers for whom knowledge and a little healthy mistrust are key weapons against phishing.
The term phishing entered the English language in 1996 when a discussion arose on the alt.2600 hacker newsgroup about fishing for accounts from members of the online AOL community. The term was quickly given its own flavour by replacing the 'f' with 'ph' and a new revenue-generating technique entered the hacker's repertoire. Phishing uses social engineering techniques, essentially the skills of a conman. In the online connected world this means that criminals gain access to such information as passwords and credit card details, by posing as a legitimate person or business using an apparently official electronic communication, usually an email or an instant message. And since the rewards are so great, the scam is carried out by large criminal organisations globally reaching out to all members of the online community.
The damage caused by phishing ranges from loss of access to email to substantial financial loss. The US alone loses billions of dollars to phishing scams every year and these figures are repeated in varying scales in all countries around the world. The reason for this is twofold - the skill of the phishers in their well crafted schemes and the ignorance and gullibility of the online community. Once a victim has in good faith given out their social security number and credit card details to a fake website, phishers are able to fake accounts using their name and reap the financial rewards.
Some examples of phishing techniques
Some other techniques use javascript commands to superimpose a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL. Technical tricks aside, some phishing attacks use straightforward cons with messages purportedly from a user's bank number reporting a problem with their bank account. Once the phone number is dialed, the users are prompted to enter their account numbers and PIN and those that do, soon find their accounts sucked dry.
Spearfishing - a new technique
Phishing is very much like casting a large net - sooner or later you will catch a fish. Spear phishing on the other hand describes any phishing attack with a distinct target in mind - usually a certain company, government agency, organization, or group. Spear phishers send e-mail that appears genuine to all the employees or members within usually from a trusted source, for example the the person who manages the computer systems in your company requesting something as innocent as user names or passwords.
The truth is that the e-mail sender information has been faked with the aim of accessing a company's entire computer system. If you respond with a user name or password, or if you click links or open attachments in a spear phishing e-mail, pop-up window, or Web site, you might become a victim of identity theft with repercussions for your whole company or association.
Fighting back
Spam filters are an important first line of defence against phishing attempts because they reduce the number of phishing-related emails that users receive. Anti-phishing software is available that helps to sniff out phishing contents on websites, act as a toolbar that displays the real domain name for the visited website, or spot phishing attempts in email. Microsoft itself has announced that its new IE7 browser will include anti-phishing technology. For banks and other organizations susceptible to phishing attacks, certain dedicated companies offer round the clock services to monitor, analyze and potentially shut down offending phishing websites. The Scandinavian bank Nordea, which was the target for a broad phishing scam in 2005 suspended its online service altogether until the threat had been neutralized.
What you can do
Since, for the most part, phishing only succeeds through social engineering, the best way to beat it is to be wise to the conman's tricks. Users who suspect a phishing attempt should contact the company in question to check that the email is legitimate. Going to the official company website and typing in a trusted web address to the address bar of their browser, to bypass the link in the suspected phishing message is also advisable. If you are a user of eBay and PayPal, always ensure that the communication uses your username - generic salutations such as "Dear valued xxx member") should immediately raise suspicion. One Internet pundit suggested that everyone with the time and energy should reply to the phisher with their own bogus information thus multiplying the time, energy and frustration required to gain any reward from their criminal pursuits.
Masood Syed Ghouse, a researcher specialised in phishing at the Data Security Laboratory in F-Secure recommended a combination of knowledge and software to beat the phishing problem:"User education is important and helps prevent users from becoming the victims of most phishing attacks out there. However, phishing attacks are becoming more and more complex and it is getting increasingly difficult for users to spot some of the more sophisticated phishing attacks by themselves without the aid of technical counter measures. This is one of the reasons why Anti-Phishing solutions are also highly recommended for everyone.
What F-Secure is doing
From a technical perspective, F-Secure's present Anti-Phishing solution is to filter phishing emails through Spam Scanner rules meaning that phishing emails and spam emails are handled by the same component. F-Secure is also examining other possibilities for tackling phishing with nothing as yet disclosed.
What the authorities are doing
From a legal point of view the US was the first country to prosecute phishing perpetrators -already in 2004. This was closely followed by Britain and Brazil, both of which actively pursued and convicted phishers. The following year, the US created legislation, the Anti-Phishing Act, which puts the guilty at risk of a five year jail term or a fine of $250,000. Federal prosecutions aside, there are a number of lawsuits pursued by such giants as Microsoft and AOL to bring the guilty to book.
Experts believe that the general rise in knowledge about phishing and the continuous improvement in methods to block it will ultimately clamp down on this particular criminal pursuit. Nevertheless, criminals as the recipients of a multibillion dollar global 'scam' may yet prove themselves tough adversaries.
What Gartner has to say:
In a report entitled "Increased Phishing and Online Attacks Cause Dip in Consumer Confidence", the research organisation predicts that reluctance to do online business among consumers could inhibit US ecommerce growth rates by one to three percent through 2008. The report continues that an estimated 2,42 million US adults report losing money because of phishing attacks and that total financial losses in 2005 amounted to 929 million USD. The report also stated that not only is phishing on the rise but that consumer education efforts to combat it are being outweighed by the sheer numbers of people coming online with no knowledge of this particular activity. With new "under the radar" attacks using URLs embedded in attachments that install a keylogger allowing a hacker to obtain user information covertly and remotely, many people are not even aware that they are the target of phishing attacks. The upshot of phishing to the online community means that many are suspicious of all emails sent to them through 'official' channels and that many want businesses to provide proper secure connections at no extra cost and that Web sites have the possibility to authenticate themselves to the user rather than vice versa.
Source: Gartner, Publication date 22, June 2005
For another perspective on phishing go to the following article written by Masood Syde Ghouse: click here
Author: Mark Woods, Corporate Communicator
Begin | 
Back
