Friday, January 09, 2004

Phishing: Spam that can’t be ignored:
"If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email. Whereas all spam is not a scam, all attempts at phishing are scams, and the potential losses to corporations and consumers alike is stunning"

Phishing: Spam that can’t be ignored
By David Berlind, Tech Update
January 7, 2004

If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email. Whereas all spam is not a scam, all attempts at phishing are scams, and the potential losses to corporations and consumers alike is stunning.

Phishing, as the name implies, is when spam is used as means to “fish” for the credentials that are necessary to access and manipulate financial accounts. Invariably, the e-mail will ask the recipient for an account number and the related password using an explanation that their records need updating or a security procedure is being changed that requires confirming an account. Unsuspecting e-mail recipients that supply the information don’t know it, but within hours or even minutes, unauthorized transactions will begin to appear on whatever account was compromised.

By now, most people know that giving this information away on the Internet is a no-no. With phishing, however, it’s almost impossible to tell that the e-mail is a fraud. Like spam, e-mail from phishers usually contains spoofed FROM or REPLY TO addresses to make the e-mail look as though it came from a legitimate company.

In addition to the spoofed credentials, the e-mail is usually HTML-based. To an undiscerning eye, the e-mail bears the authentic trademarks, logos, graphics, and URLs of the spoofed company. In many cases, the HTML page is coded to retrieve and use the actual graphics of the site being spoofed. Most of the phishing I’ve received pretends to come from PayPal and contains plainly visible URLs that make it look as though clicking on them will take me to PayPal’s domain. Upon quick examination of the HTML tags behind the authentic looking link, the actual URL turns out to be an unrecognizable and cryptic looking IP address rather than an actual page within PayPal’s domain.

PayPal, the payment subsidiary of EBay, is a common target of phishing. If you get one and you’ve never joined PayPal, then you obviously know it’s a fraud. But if you are a PayPal member, as I am, the phisher has at that point broken through the unofficial security-by-obscurity layer that once protected you. It not difficult to see how PayPal members could be victimized by this technique.

According to Antiphishing Working Group Chairman David Jevans, PayPal isn’t the only target of phishers. “In about 35 percent of all reported phishing attacks, Ebay’s PayPal service is the biggest victim. But just about any financial institution, credit card issuer, retailer, or other business can be targeted. UK-based NatWest was phished badly in October 2003 and then even worse in December. The December attack was so bad that NatWest had to take down its site. Visa was another organization that was targeted over the holidays.”

At first blush, phishing appears to be sort of buyer-beware consumer issue since the e-mails themselves are prospecting for potential account holders to the spoofed institutions. Indeed, depending on the spoofed institution’s policies, a consumer could end up eating a loss. “So far,” said Jevans, “most of the transgressions against individuals have been in the hundreds of dollars because smaller transactions will sometimes go unnoticed for a while. But they go higher. The largest one on record so far is for $16,000. If the credentials obtained by a phisher are for a credit card account, then the risk is usually absorbed by either card issuer or a merchant.” This is when the hard dollar cost of phishing, which Jevans considers a form of identity theft, begins to be recognized by corporations and businesses instead of individuals.

http://techupdate.zdnet.com/techupdate/stories/main/Phishing_Spam_that_cant_be_ignored.html

No comments:

Post a Comment

con·cept