By BILL TOLAND
December 14, 2005
This is how phishing usually begins, with your e-mail address. Next comes an automated e-mail, sent by a spam generator, which instructs you to visit a fake Web site and "update your credit billing information" or "verify your PayPal login."
Then, if the scammer is lucky and you're not computer savvy, you hand over your name, credit card number and other personal data - a valuable bundle of information that's sold on the black market to someone who wants to steal your identity and your line of credit.
Phishing scams have infected the Internet for more than a decade. In the beginning, it was called "Web page spoofing." But the scams have reached a critical mass over the past few months, reaching more people than ever, using more fake Web pages than ever, and becoming so sophisticated that even the good guys have a tough time telling fake Web pages from authentic ones.
Thomas, fortunately, is one of the good guys. He's a program manager at the National Cyber-Forensics and Training Alliance, which makes its home in a business park near the Monongahela River outside of Pittsburgh. The nonprofit alliance is one of the few computer crime research outfits in the United States, a collaboration of law enforcement officials, computer experts, private enterprise and volunteer graduate school students from the University of Pittsburgh, Carnegie Mellon University and Robert Morris University.
Thomas' days are consumed by computer crimes of all varieties, including online auction frauds, spam-sending "bot networks," fake charity solicitations such as the ones that arose after last year's killer tsunami and this year's Hurricane Katrina. But phishing scams, he said, are taking up more and more of his time.
At the start of last year, there were about 200 phishing sites on the Web - fake sites designed to look like they belong to eBay or Citibank, for example. By autumn, there were more than 5,200, according to the Anti-Phishing Working Group, a cross-industry global group supporting those tackling the phishing menace. And that number is rising.
One reason is that as recently as last year you had to be able write computer code to place a phish site on a server. Now, phish writers are creating customizable packets. A scammer buys the code packet from a vendor, fills in the blanks, inserts an eBay logo, for example, and he's ready to go.
"These kits? That's what causing these spikes," Thomas said. "It used to be you had to know how to do this yourself. Now you don't."
Hanging on a wall in the cyber training alliance offices are various flow charts which show how phishing scams operate.
If you thought they tend to be simple - a geeky teen sitting at a computer sending out e-mail, collecting personal data and going on a shopping spree - you're wrong.
"It's a very organized criminal activity," Thomas said. Every once in a while, one guy juggles the entire scam himself, but usually it's an elaborate web with some or all of its threads running overseas through Eastern Europe, China, Korea or Russia.
That's what makes tracking a phishing scheme so difficult. Even when the FBI "seeds" a scam by providing a credit card number with hopes of monitoring its use, the crooks are often untouchable.
"They get traced back to some place in another country, and they're doing a transaction in the subway, (at) an ATM," said Bill Shore, of the FBI's Pittsburgh-area cyber-crime team.
How is the web connected? One group designs the phish site kits, while others write e-mail-harvesting "spiders." Some send the spam e-mails, some collect credit card numbers and still others sell the pilfered information over the Internet.
At the end of the line is the guy who buys the numbers and goes shopping. It's lucrative for the people selling the data packs and the card numbers, but it's more lucrative for the guy at the end of the line. The Ponemon Institute, a privacy and security consultant, estimates that phishing schemes cost American consumers $500 million in 2004.
The good news is that the people chasing the crooks are becoming more sophisticated, too. The cyber training alliance, for example, was assembled in 2002. It shares office space with Digital PhishNet, a year-old team of national cyber-experts culled from tech companies, Internet service providers, the Secret Service, the FBI and the banking industry.
The Defense Department's Computer Emergency Response Team Coordination Center, or CERT, makes its home at Carnegie Mellon. Nearby is an FBI computer crimes lab.
For all this investigative manpower, though, phishing and the identity theft it supports is difficult to prosecute.
"Identity theft, in general, is close to the perfect crime today," Shore said. Fewer than 1 percent of all reported identity theft cases are successfully prosecuted, he said.
At least identity theft is a punishable offense. Phishing, setting up a fake Web page and posing as a real company in an e-mail, often is not.
Tech companies and Internet providers want to change that, and they are lobbying state legislatures to pass anti-phishing statutes. Many companies worry that the millions in direct consumer losses will generate even greater losses if people lose confidence in online commerce.
"The main goal is to protect customers from this kind of fraud," said Lee Gierczynski, a spokesman for Verizon, whose Web site often is duplicated by phishing scammers. "But the company is a victim as well."
A survey by America Online and the National Cyber Security Alliance found that one in four Internet users polled had been on the receiving end of a phish e-mail. The latest report from the Anti-Phishing Working Group says that, in a given month, more than 13,000 phishing solicitations clog e-mail inboxes:
Dear Amazon.com Member - Urgent Action Required!
Credit Union National Association #552 - Security of your Personal Information.
PayPal must repay 4,823 members, including you, the amount of $156.02 - confirm your account.
Update your Verizon billing profile - failure to reply will lead to termination of your account.
Bank One security upgrade - please check your secured inbox for detailed information.
Citibank E-mail Verification - verify your e-mail address.
Phishers go where the money is. That's why so many of their e-mails pose as coming from the most popular Web services, such as Amazon, eBay and PayPal.
But as the hoax pages get easier to build, the solicitations get more narrowly targeted. You might get one from your local bank, your local phone company or a credit union. And as more people submit their federal tax returns online, expect to see e-mails that claim the IRS is having a problem processing your refund and needs more information to do so.
"Come tax season, I think we're going to see kind of an increase," Thomas said. He's already seen one such e-mail.
With the holiday shopping season in full swing, you might already be getting e-mails offering gift cards or free video game systems if you participate in an online marketing survey. Sometimes, these offers are legitimate, but more and more, these, too, are phishing expeditions designed to separate you from your money.
Thomas predicted an upswing in other phishing-related scams which surfaced this year but have yet to become widespread.
One is called "pharming." Hackers confuse computers into misdirecting Web users who type in a legitimate Web address. You type "www.google.com," for instance, but your Web browser is directed to a fake Google page or a different Web page altogether.
Another offshoot is called "spear-phishing," a more focused form of phishing. You'll get an e-mail directing you to a Web page. Simply by visiting the page, your computer will download malicious software, known as "malware." As you conduct legitimate online business a week later, the malware might keep track of credit card numbers or passwords you use. Or it might act as a radio receiver, allowing someone else to operate your computer by remote control.
The scope of such spear-phishing and pharming attacks is limited, for now. That's because, as with "traditional" phishing a year ago, they are limited to the people who have enough programming knowledge to carry them out.
But as programmers begin to build generic pharming and spear-phishing packages, and make them available for purchase online, the scams will proliferate. And pose new challenges for consumers, companies, investigators and lawmakers.
Publish A Letter on SitNews Read Letters/Opinions
Submit A Letter to the Editor