This article was in the New York Times today...
Online Swindlers, Called ?Phishers,? Lure Unwary
March 24, 2004
By SAUL HANSELL
Last year, EarthLink, the big Internet access provider,
went hunting for phishers.
It started a campaign to track down people who were sending
e-mail messages that pretended to be from EarthLink but
were actually fraudulent attempts to steal customers'
passwords, credit card numbers and other information. What
it found was that of the dozen or so people it could
clearly identify as engaged in the practice known as
phishing, more than half were under 18.
In its latest effort, EarthLink discovered a lot of
phishing e-mail messages coming from computers in Russia,
other East European countries and Asia. The e-mail
messages, and the Web sites they directed people to, were
becoming much more technically sophisticated.
"A year ago, there were some phishers out there, and it was
mostly teenagers and other people fooling around," said Les
Seagraves, EarthLink's chief privacy officer. "Now I think
we are moving to more criminal enterprise."
Phishing attacks are growing rapidly, impersonating
Internet service providers, online merchants and banks.
Government officials and private investigators say all
signs point to gangs of organized criminals - most likely
in Eastern Europe - as being behind many of the latest
efforts.
"Like any other black market, there is a stratification in
phishing," said Kevin E. Leininger, president of ICG of
Princeton, N.J., an investigative firm that has been hired
by banks to find those behind the attacks. "There are
people who are rank amateurs. And there are identity-theft
rings."
So far, the offenders have largely evaded the searches to
find them. One reason is that they often use computer
worms, spread from machine to machine, to send the
fraudulent e-mail - a technique that makes it almost
impossible to trace the source.
Like EarthLink's investigators, government authorities have
managed to track down a few individuals operating less
sophisticated ruses. The F.B.I. traced one crop of mass
e-mail messages pretending to be from the "AOL Billing
Center" to Helen Carr, 55, who ran the scheme from her home
in Akron, Ohio. (Ms. Carr pleaded guilty and was sentenced
in January to 46 months in prison.)
But federal investigators write off people like Ms. Carr as
small-time operators. "The kids in school and the old lady
in her basement make great copy," said Bruce A. Townsend,
deputy assistant director in the office of investigations
at the Secret Service, which investigates cases of credit
card fraud. "But this has transformed into something done
by organized criminal groups."
In February, 282 cases of phishing e-mail messages were
reported to the Anti-Phishing Working Group, a coalition of
technology companies, financial institutions and law
enforcement agencies. That was up from 176 attacks in
January and 116 in December. Brightmail of San Francisco,
which filters e-mail for spam, identified 2.3 billion
phishing messages in February, 4 percent of the e-mail it
processed, compared with only 1 percent of its messages as
recently as September.
"Identity theft is the single greatest type of consumer
fraud," said Christopher A. Wray, an assistant attorney
general in charge of the criminal division of the Justice
Department, "and phishing is the identity theft du jour."
At this point, there are few sure ways for an Internet user
to tell if an e-mail message is legitimate. So experts
advise people to be extremely wary of providing any
confidential information in response to e-mail.
"The crooks are getting slicker, and the bogus Web sites
and e-mails are dangerously legitimate looking," Mr. Wray
said.
No one knows how much money has been stolen through
phishing schemes. Banks say it still seems relatively small
compared with other forms of fraud and theft, like using
stolen credit or debit cards.
One reason it is not easy to figure out how much money has
been lost is because many victims do not realize it when
they have been fleeced. Even those who find an unauthorized
charge on their credit card bills and bring this to the
attention of the issuers do not necessarily know that the
charge was caused by their response to a false e-mail
message.
"People think they are giving their credit card numbers to
AOL because there is a problem in their account," said Eric
A. Wenger, a lawyer for the Federal Trade Commission, which
has brought civil actions against several phishers. "If
they find out four weeks later there are unauthorized
charges on the credit card, it never occurs to them to
connect the two events."
Lisa Cook, a sales representative with Kraft Foods who
lives in Brookline, N.H., was one of the lucky ones who
discovered that she had been subject to phishing before she
was significantly harmed. Ms. Cook responded one morning,
before her first cup of coffee, to a message in her e-mail
in-box seemingly from PayPal, the electronic payment
service of eBay. It said she needed to update her account,
so she dutifully provided her credit card and Social
Security numbers, mother's maiden name and other
identifying information.
Luckily, she spotted a warning later the same day about
Internet scams. Ms. Cook placed a panicked call to PayPal,
which confirmed her fear that she had been phished.
She was able to cancel all her credit cards and change
passwords before she lost any money. But the experience
haunts her.
"It will always be in the back of my mind," she said. "I
worry that some day down the road, someone will take out a
mortgage using my information."
Phishing got its name a decade ago when America Online
charged users by the hour. Teenagers sent e-mail and
instant messages pretending to be AOL customer service
agents in order to fish - or phish - for account
identification and passwords they could use to stay online
at someone else's expense. After AOL switched to a flat
monthly rate, the same phishing methods were used to steal
credit card information.
These days, the same factors are driving all sorts of spam
in much greater amounts.
"It doesn't cost any money to go out and copy someone
else's Web page to make it look real," said John Curran, a
supervisory agent for the F.B.I. "And it doesn't cost any
money to spam the e-mail out to one million people."
The phisher's goal is to persuade a recipient that he has
received a legitimate message, which must be replied to
immediately.
As for motivation, phishers sometimes appeal to greed by
sending an e-mail message that promises the recipient a
prize, asking for a credit card number only to bill for
shipping costs. More often, they rely on fear.
"The initial hook is something alarming," Mr. Curran said.
"They tell you they will shut down your account or you have
been charged for child pornography. Once they get you in a
state where you are agitated or excited, they can elicit an
emotional response."
The open technology used in both e-mail and Web browsing
make it easy to create convincing fakes and difficult for
recipients to verify who is really behind them. Even people
with only modest technical skills can take graphic elements
from a legitimate Web site and make a credible copy. (Many
phishing attempts last year were riddled with typographical
errors and awkward language, but now it appears that most
phishers have brushed up on their English or hired
proofreaders.)
Phishers often create Internet addresses that closely
resemble legitimate ones. Some have used domains that
included "yahoo-billing.com" and "eBay-secure.com." How is
the typical user to know those are not real, but
"billing.yahoo.com" is?
In response, Microsoft has modified Internet Explorer, the
most popular Web browser, to make it harder to fool users
and it has more changes planned for the next browser update
planned for release this summer.
A few Internet companies are going further. EBay and
EarthLink have both developed toolbars that can be added to
Internet Explorer to warn users if they are looking at
known fraudulent sites.
But Howard Schmidt, a vice president for security at eBay,
acknowledged that these approaches - and eBay's frequent
warnings to its customers and PayPal's - have their limits.
"Technology can solve 60 percent of the problem," he said.
"Education and awareness can solve 20 percent, and no
matter how good the industry is, there will be people who
fall victims so 20 percent will have to be handled by law
enforcement."
But even the small-time phishers who have been caught show
how simple it is to use easily accessible high-technology
tools to fool people. In February, Alec Scott Papierniak,
20, a college student in Mankato, Minn., pleaded guilty to
wire fraud. He had sent people e-mail messages with a small
program attached that purported to be a "security update"
from PayPal. The program monitored the user's activity and
reported their PayPal user names and passwords back to Mr.
Papierniak.
Prosecutors say that at least 150 people installed the
software, enabling Mr. Papierniak to steal $35,000.
While most of those prosecuted so far for phishing have
been in the United States, eBay, working with the Secret
Service, has investigated a series of scams originating in
Romania. More than 100 people have been arrested by
Romanian authorities. One of them, Dan Marius Stefan,
convicted of stealing nearly $500,000 through phishing, is
now serving 30 months in a Romanian prison.
Mr. Stefan sent e-mail messages that appeared to come from
eBay to people who were unsuccessful auction bidders,
advising them of similar merchandise for sale at even
better prices. To purchase the goods, the message
recipients were told to provide bank account numbers and
passwords and then to wire money to an escrow site - a
fraudulent one - Mr. Stefan had set up.
The financial losses of most phishing victims, particularly
those subject to credit card fraud, often end up being
absorbed by banks and their insurance companies.
But the costs are real."We get 20,000 phone calls every
time one of those goes out, and it costs us 100 grand,"
said Garry Betty, EarthLink's chief executive. "I got so
mad one month when we had eight attacks," he said,
explaining that he is pressing his legal department to find
someone important to make an example of.
"We haven't found one yet," Mr. Betty added, "but before
2004 is over, I'm going to get one."
http://www.nytimes.com/2004/03/24/technology/24PHIS.html?ex=1081147113&ei=1&en=b0082fc8b031692a
Copyright 2004 The New York Times Company