This threat could kill e-commerce

They can be alarming, threatening, or enticing. Many are convincing. Called phishing schemes, they are emails – usually with links to websites – that appear to come from legitimate sources such as online retailers or banks and try to trick users into divulging valuable personal data.

Criminals are unleashing more and more of these sophisticated online scams, according to the Anti-Phishing Working Group (APWG), which tracked 282 new, unique phishing attacks in February – a 60 per cent increase from January and a 163 per cent increase over December.

Phishing victimises online consumers and is creating problems for companies impersonated in fraudulent emails. They are grappling with support calls from confused customers, liability concerns and, most critically, damage to their brand names and reputations. Ultimately, phishing threatens the future of e-commerce, warn security experts.

"The biggest problem is loss of reputation, and trust of consumers in the internet to do online banking and commerce," says Dave Jevans, APWG chairman and senior VP at security software firm Tumbleweed Communications.

Companies under attack – financial-services firms, ISPs, and online retailers – are fighting back by educating users, deploying technology to thwart scams, and sharing information with each other and law enforcement agencies to identify phishing schemes and culprits. Technology vendors are stepping up to help.

"We are mobilising," says Brad Keller, group VP and e-commerce risk manager at Atlanta-based SunTrust Banks. He is also chairman of a subcommittee at financial institution consortium BITS that is addressing the problem. "Everybody is working on it and exploring as many different approaches as they can."

Phishing has been around for about eight years, says Jevans, when an email scam tried to get recipients to give their America Online (AOL) usernames and passwords. Last summer, this breed of online fraud began to skyrocket when phishers broadened their attacks beyond the ISP realm to the banking industry in Australia. By fall, they were attacking banks in the U.K. and then the U.S.

"It's been going on for years... but the bad guys hadn't turned it into a revenue generating scheme as much until the last year," says Jim Jones, chief technology officer for the enterprise security solutions business unit at SAIC, an IT services and solution provider.

In general, phishing attacks combine spam techniques with social engineering. Some phishing ploys use email forms, but most direct users to a fake website. The URLs can appear authentic by inserting words into a company's real web address – such as – or by taking advantage of a vulnerability in Internet Explorer that allows attackers to set up a fake site, but make it appear in the address bar that the user is accessing a legitimate site.

The scams usually try to fool users by alarming or surprising them – their bank account will be shut down, they are the subject of an investigation, or they have won a prize, says John Curran, FBI supervisory special agent at the Internet Crime Complaint Center (IC3), a partnership between the FBI and National White Collar Crime Center.

"Usually there's some sort of threatening hook that catches the recipient off guard," he says. "In that moment, they are more likely to go ahead and submit whatever is requested – their bank account or creditcard numbers. They just want to take care of the problem quickly. Oftentimes, it's not until the next billing cycle or creditcard notice that they realise there's a problem."

According to APWG, the most targeted industry in February was financial services. Specifically, eBay was followed by Citibank and Paypal as targets.

"With the way email works, it's easy to forge emails. Source addresses and content can be made to look very legitimate," says David Balenson, deputy director for McAfee Research at Network Associates. Phishing succeeds because the fraudsters have numbers working for them: "It's cheap and easy to send out millions of phishing emails at little or no cost. A phishing email is basically a malicious form of spam." Even if just a small percentage of the recipients reply, the thieves can capture a lot of valuable information.

Plus, phishers are becoming more sophisticated. "They're flat out getting better at presenting the page as a legitimate page, at making their fields more dynamic, and cutting down the number of misspelled words in an email," says David Remick, manager in the enterprise security department at EarthLink.

APWG's Jevans observes: "Now they use pop-ups and cross-site scripting so if you click on the link, it pops up a window to log in, and the main browser window redirects to the real website."

His group is seeing more finely honed attacks. For example, one nasty scam tried to trick employees into giving their social security numbers by sending them an email from "human resources" directing staff to a new benefits website. Network Associates' Balenson recalls an email he got that purported to come from the IT department, but was not.

A few attacks incorporate virus techniques, such as a scam that spoofed Paypal and sent out copies of itself to everyone in a recipient's address book. Some send people to sites that download keystroke loggers. Last month, APWG warned of an attack that detects the user's browser and applies a custom JavaScript that replaces the web address bar with a working fake. Because the fake address bar remains installed after a user leaves the phisher's site, it could allow an attacker to track web browsing.

According to Jevans, it is hard to know how many people are conned by phishing scams. Some people might not know they were victimised, while others are embarrassed to admit they fell for a scam. Likewise, say security experts, companies that are impersonated are reluctant to talk about how they are impacted, but are feeling the fallout.

"They get a lot more phone calls for customer support, so that escalates their costs significantly," says Jevans. "It's a problem if you only do business online, because anything like that starts to tell on your margin."

Any company spoofed by phishing attacks is seeing an increase in customer support volumes, confirms SunTrust's Keller, adding: "Sometimes we get calls from customers who have received a phishing [email] for a different company, which I think underscores the level of confusion with customers."

Educating customers and customer support staff about phishing adds to an organisation's costs, but the impact on brand name and reputation is hard to quantify, remarks Jevans.

"For a company, the biggest problem is a loss of trust," says Mark Rasch, senior VP and chief security counsel at managed security firm Solutionary. "Your customers don't believe you are you and, therefore, they're less likely to buy stuff from you online. They're less likely to give you personal information you need to process data because they don't trust you."

Rasch, a former attorney at the Department of Justice, maintains that liability becomes an issue if a company fails to detect a phisher spoofing it over a period of time, because companies have a duty to police their trademark.

Phishing is a big problem for targeted financial institutions, reports Kevin Leininger, president of ICG, a Princeton, N.J.-based firm that specialises in internet threat-management solutions. "They're putting millions of dollars in reserves into their books to deal with contingency just related to phishing," he says. "They're very concerned not only about the actual loss, but the potential brand equity damage and the liability – not just from a customer liability perspective, but also from a governance situation. Regulators are starting to ask a lot of questions of institutions about what they're doing about this problem."

The FBI's Curran says banks hesitate to report loss figures, but Jones of SAIC notes: "There are real losses associated with this [phishing]. In most cases, the bank or financial services institution bears the cost of the loss rather than the customer." Curran adds: "I know they're concerned, because if phishing becomes an epidemic and shakes consumer confidence to the point where folks are unwilling to do online banking, it's going to increase costs for the banks."

Leininger insists banks are taking action, including hiring firms such as his to help them track down the people behind phishing attacks. "I've been selling software and services to a variety of markets, one being financial services, and I've never seen an industry move more quickly against a threat than I've seen the financial services industry move against this," he declares.

Keller says BITS – and the industry as a whole – is looking at ways to deal with the problem, including technological solutions and best practices. "Best practices range from customer education, as well as our internal business practices, to networking and sharing information about these incidents with law enforcement as well as other companies," he says.

The BITS e-scam subcommittee – which is part of the group's overall fraud-reduction program – is focused on publishing a white paper of best practices and the creation of an information-sharing network specifically related to phishing. "It's one area where we see that we're all in it together," says Keller.

The industry wants to educate the public, he explains, but not cause undue concern: "Unfortunately, in all areas of life, there are people who engage in criminal conduct... The internet is no different. But because we're dealing with people with drastically different levels of knowledge and experience in using the internet, it becomes a challenge in educating our customers."

Customer education is part of a multi-pronged effort at EarthLink, which has been fighting phishers for several years. "We look at the phisher problem as something we can solve technically, something we can pursue through legal means, and something we can – each day, from a process standpoint – follow the trends of the phisher perpetrators and change what we do to make customers operate in a secure environment," says the ISP's Remick.

To ensure that customers are savvy, EarthLink makes a knowledge base available. The company provides customers with a tool to determine if a URL is an authentic EarthLink site. It has also prevented the distribution of emails that fraudulently use its brand and shuts down fake sites. Remick's department works closely with the legal department to gather the forensic evidence necessary for legal action.

A coalition launched last fall by eBay,, VeriSign, Visa, Microsoft, and the Information Technology Association of America (ITAA) to fight online identity theft is tackling phishing.

"There will continue to be a lot of good efforts in the industry to create technological solutions to that, and to the extent there's some collaborative effort within the confines of anti-trust law, these folks will be looking at ways that we can collectively stamp it out," asserts Greg Garcia, ITAA VP of information security policy and programs.

In March, eBay added a new feature to the eBay Toolbar called Account Guard, which warns customers when they are on a potentially fraudulent site and enables them to report it to eBay.

Government agencies are taking aim at phishers. The Department of Justice released a special report on the issue earlier this year; the FBI's Curran says IC3 is working undercover with the financial-services sector to foil scams; and federal officials have prosecuted individuals behind phishing attacks. For example, Helen Carr, a woman from Ohio, was arrested last fall in connection with a scheme trying to trick AOL users into divulging their account numbers via a fake AOL Billing Center site. She was sentenced to 46 months in prison.

ICG's Leininger says there are many strata within the phishing community: "At the top, there are some fairly nasty people, including organised crime." Tracking down these criminals can be difficult. Not only can a URL be hidden through a series of redirects, but the perpetrators will move the site after 24 or 48 hours – about the time investigators have the phishing email and are looking for the culprits, he explains.

With many phishing attacks coming from outside the US, it can be especially tricky to locate the perpetrator or have a phisher site shut down, due to language and cultural barriers, according to SAIC's Jones. The owner of the server the site sits on is not usually the offender, it is someone who has an account (sometimes fraudulent) with them.

Beyond the reactive approach of shutting down sites, the industry is looking for technological solutions to phishing, with email authentication topping the list of possibilities. "If you can allow people to know what mail really came from the bank or e-commerce vendor and what didn't, that will largely solve the problem," says Jevans.

But that solution is years off, admit security experts. "Ideally, we should have digitally signed email, using things like S/MIME or PGP," says McAfee's Balenson. "It's very difficult to have those secure email protocols used on a wide-scale basis because of the amount of infrastructure required and the difficulty in using them."

There are steps companies can take to protect their customers and defend themselves, he adds. Firms can establish secure policies for communicating with customers by avoiding email forms and embedded hyperlinks, but they need to be consistent and let customers know about policies. Organisations can personalise emails by embedding authentication information in them, such as a customer photo. They should monitor the internet by looking for unauthorised use of their logos. Implementing security at the internet gateway can block phishing email and sites.

"Many of these techniques are using existing technologies, but what they're doing is raising the bar," says Balenson. "It will probably turn into a bit of a cat and mouse game, with spammers and phishers perfecting their techniques to get around the new bars we've raised."

Other solutions can help protect against phishing-type scams. ZoneLabs includes a new feature called Host File Lock in its consumer firewall product. The feature prevents an intruder from tampering with a host file on a machine and sending the PC to a spoofed site.

Anti-spam vendor Brightmail offers an anti-fraud service that detects and notifies a company of any spoofed or fraudulent emails specific to the organisation. Tumbleweed is trying to simplify email authentication with its new Email Authentication Engine, which supports S/MIME. PassMark Security provides personal tags – logos or images – for users that they look for when they enter their name on a company's website, in order to verify the site's authenticity before they enter sensitive data.

For Gene Fredriksen, VP of information security at Raymond James Financial, phishing is a problem "in search of a technical solution right now and there doesn't appear to be a lot of them on the horizon." His firm hasn't experienced the problem, but is closely monitoring and reviewing problem reports or anomalies that might indicate an attack. "We've got heightened awareness and we're really watching things closely," he says. "That's all companies can do right now – watch for those tip-offs. With large financial services companies that have millions of customers, getting any type of technical solution deployed is going to be very hard... It's not going to take long for whatever technology we come up with to be twisted and used by the bad guys."

Remick comments: "It's imperative for the ISP industry and the public and private sector to continually communicate to customers, and the whole web community, that the internet itself is a secure vehicle for research, commerce, and communication. But you have to let them know there are threats. It all comes down to awareness."

APWG has more than 180 members and Jevans echoes the call to begin a concerted effort to deal with phishing. "It can only be solved by collaboration between financial services, e-commerce companies, ISPs, law enforcement, and technology companies. You have to get all these people together to make a dent on this," he says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.