April 17, 2009

Phishers Use Loopholes, New Tech To Step Up Attacks

Phishing scans have evolved from the days where phony Nigerian princes sent emails enticing victims with big windfalls for providing their bank account numbers.

Today, cybercriminals are increasingly exploiting loopholes and becoming more sophisticated in their approach, despite efforts by authorities to clamp down on the online scams.

Phishing refers to misleading e-mails that appear to have been sent from banks or other trusted sources that aim to trick recipients into disclosing bank or credit card account numbers and passwords.

The large majority of e-mail sent today is spam, an unknown percentage of which seek to defraud recipients.  Because the scale of the electronic fraud is so large, cybercriminals can profit handsomely if even a tiny percentage of their intended victims are deceived.

The federal government made significant progress in curbing phishing last November when the web hosting company McColo Corp. was taken offline.  According to a Washington Post report, 75 percent of spam worldwide had been sent through McColo.

However, the spam e-mails quickly found alternate methods to reach the inboxes of their intended victims, according to Google's security subsidiary Postini.

And spammers are increasingly sending their e-mails through large numbers of computers, a practice that masks the origin of the messages.

This approach also means that a dramatic McColo-style shutdown will be even harder to replicate, according to Adam Swidler, product marketing manager for Postini.

Cybercriminals have largely abandoned scams such as the Nigerian prince hoax, which were easy to see through.  Instead, they are moving towards more sophisticated "location-based spam," that leads victims to a Web site related to a local disaster or other topics of interest to the recipient.

If victims click on an offered video, the Web site would them download a virus on to their computer, according to a post on Google's security blog.

Microsoft security expert Tim Cranton said its impossible to know how much money is stolen.

"We don't have a way to estimate numbers because there are so many victims that you're not aware of," he told Reuters.

E-con artists have started turning to new technology in a practice called "smishing", which is similar to phishing except the messages are sent to recipients via SMS text message instead of email.

Another recent tactic involves scammers who send spam to potential victims that purports to come from Paypal.

When Paypal learned of the scam, they began putting a digital signature on all of their e-mails and asked providers such as Google and Yahoo to block any e-mail purporting to originate from them that did not have the signature.

"We know how many they throw away and it's approximately speaking about 10 million a month," Michael Barrett, Paypal's chief information security officer, told Reuters.

"If the consumer never sees the e-mail in the first place then it's hard for them to get victimized."

"Phishing was not just impacting consumers, in terms of general loss, it was impacting their view of the safety of the Internet and that it was indirectly damaging our brand."

Experts in cyber security say they are increasingly seeing shifts from outright fraud, where a potential victim gives their money, to the use of malicious software that collects passwords and credit card numbers for criminals.

"Those will then be sold on the underground market," David Marcus, a threat research expert at McAfee computer security firm, told Reuters.

The person that buys the card numbers and passwords will then use that information to make purchases, get cash or establish false identities.

The FBI collaborated with police in Britain, Turkey and Germany, to shut down one such online operation called Dark Market last October. The site had more than 2,500 registered members at its peak, according to a FBI press release issued at the time.

However, experts don't expect the problem to be solved anytime soon, and say more people out of work could well mean more potential victims for these scams.

Marcus called many of the scams the digital equivalent of confidence tricks.  But on a large scale the scams can create profits exceeding $100,000 a month.

"These things only have to be 2 percent successful," he said.

"Those campaigns are sent out to tens of millions of people at the same time.


On the Net: