Beware of Phishing Expeditions – The Fastest Growing Internet Scams

Mass email spamming is an avenue for the fastest growing email scams called “phishing”. Phishing scammers, or phishers, target major financial institutions and e-commerce websites, such as Citibank, Bank of America, US Bank, AOL, eBay and Paypal, to trick their clients into providing personal and financial information to a fraudulent website. This information is then used to access victims’ accounts and make illegal transactions, or to steal identities and start new credit accounts elsewhere. Thousands of military personnel, to include senior level officials, have received phishing emails over the past several weeks and over 5,100 personnel have responded to these types of emails. Although there has been no known report of fraud by these respondents to date, the persons behind these scams now have personal information that can be used in the future. They only way to avoid this activity is not to respond to emails or telephone calls that are requesting personal financial information; financial institutions, utility companies and retailers will not contact customers via email or telephone to request personal financial information. 

Background

  Phishing in the computing world is short for “password harvesting fishing”, which is a way of getting sensitive information (passwords, accounts, personal information, etc.) from victims while posing as a trustworthy entity needing this sensitive information. 

  The phrase was coined in the mid nineties by crackers attempting to steal AOL accounts for fictitious use. However, today phishing has moved towards a more profitable scam. Phishers are targeting online banking institutions such as Citibank and auction houses such as eBay. Phishing scams are done by sending out spam email to many people hoping that 3 - 5% of them respond. These fraudulent emails tend to resemble the targeted organization’s logos and colors to make people believe they are legitimate. A variety of methods are then used to trick recipients into clicking on links provided, leading them to fraudulent websites cleverly designed to mimic the legitimate websites of targeted organizations.

 Once at the fraudulent site, victims will be prompted to input personal information such as social security numbers, account numbers, pins and passwords. Once this information is obtained, phishers can then make charges against accounts, withdraw funds from bank accounts, or make purchases at online auctions.

Recent Victims

 Thousands of military personnel, to include senior level officials, have received phishing scam emails over the past several weeks. One email targeted SunTrust Bank while another targeted Global Card MasterCard purported to be issued by BankFirst. 

  Research has verified that both the SunTrust and the Global Card MasterCard (which BankFirst does not even issue) emails are phishing scams. In both cases, the websites that victims are directed to appear to be legitimate, but after careful research, these links and sites are not associated with the actual businesses they purport to be. The average life span for most of these fraud sites is 6 days with some of the longest being 31 days. Even though some 5,100 military members have responded to these types of email scams, none have reported any fraudulent activity to date. This does not mean that the organization that gained the information will not use it in the future. The one thing to remember is that financial institutions, utility companies and retailers are not going to call customers by phone or contact them via email asking for personal or financial information. Therefore, the best response to such calls or emails is to not respond at all.

Phishing Trends

Phishing scams are the fastest growing social engineering activities to date. Anti-Phishing Working Group statistics reported phishing targets. 


 The most common scams reported by CiperTrust, (a network security and email service provider) are loan scams, mortgage fraud, online pharmacy fraud and fake online banking. Most phishing scams are sent from computers that are known as “zombies” (a zombie computer is a computer attached to the Internet that has a hidden software program, a “backdoor”; this backdoor allows the computer to be remotely-controlled by others, and used in Denial of Service attacks or unsolicited email “spamming”). According to CiperTrust, as of 15 Oct 04, there are approximately 1,000 zombies running on broadband connections that are being controlled by fewer than five zombie network operators. APWG reported that the US (27-35%), South Korea (16-19%), China (8-15%), Taiwan (3-7%), Russia (1-7%), UK (1-6%) and Mexico (2-5%) have either zombies or hosting sites associated with this type of activity. 
Note: Percentages above represent the locations of illegal phishing websites.

 MessageLabs and Brightmail (security and anti-virus companies) estimates over 250,000 US phishing scam emails are received monthly. In a survey conducted by Gartner in April 04, 57 million US adults have received phishing emails the past year. And of those who have responded, over half have also been victims of identity theft. Approximately 2 million US victims have lost $2.4 billion from illegal access to checking accounts alone.

 Phishing expeditions are the fastest growing scam in social engineering today, mainly because they are only looking for only 3 –5 % of their victims to reply with the requested information. New targets and victims are selected for each phishing scam and at some point in time everyone will probably be targeted. The best action to take after receiving an email from an unknown sender is to delete it from both the inbox and the deleted mail folder. 

Response And Reporting

The Federal Trade Commission’s No. 1 tip for avoiding these rip-offs: “DON’T provide any personal financial information via email. (Banks and other companies frequently remind customers that they don’t ever ask for sensitive financial data via email.)” 

Use the following measures to help protect yourself from fraudulent activity:

· Be extremely suspicious of any email with a request for personal financial information.
· Do not fill out forms in email messages that ask for personal financial information.
· Do not use the links in emails to get to websites if you suspect it not to be authentic.
· Do not give your credit card numbers or account information unless using a secure website or telephone, and only after you have initiated the contact.
· Beware of email attachments.
· Check your bank and credit card statements online regularly looking for fraudulent activity.
· Use anti-virus software and keep it up to date.
· Keep your operating systems software up to date.
· Consider installing a web browser tool bar to help protect you from known phishing fraud websites. (Earthlink ScamBlocker alerts you before you visit a page that’s on Earthlink’s list of known phisher Websites. eBay offers a free toolbar that warns you when you might be on a spoofed eBay site).

 Report all phishing scams by sending a copy of the email to spam@uce.gov (Federal Trade Commission), reportphishing@antiphishing.org (Anti-Phishing Working Group) and abuse@ the site being spoofed), (e.g. abuse@ebay.com). If a suspicious phishing email is received on an military email account, it can also be forwarded to the Information Assurance office at the local communication center. This will allow the hosting IP of the fraudulent website to be blocked so that no member can respond with their personal information. 

  The Anti-Phishing Working Group has reported 6,715 different phishing scams from May – July 2004. It is estimated that over 250,000 fraudulent emails are received on a monthly basis in the US, and some $2.4 billion has been fraudulently taken from checking accounts of US citizens. This is becoming a real concern that can be defeated with awareness and education. The one thing to remember is that financial institutions, utility companies and retailers are not going to contact customers by phone or via email asking for personal or financial information. Therefore, the best response to these calls or emails is to not respond at all, and notify the institution or organization letting them know that phishing scammers are targeting them and their customers. This will allow them to take corrective action as well as notify their customers. . 

References:
www.snopes.com
www.hoax-slayer.com
www.spamwatch.codefish.net.au
www.antiphising.org
www.ciphertrust.com
www.pcworld.com
www.infoworld.com
www.vnunet.com
www.brightmail.com
www.messagelabs.com
www.wikipedia.org
www.ftc.gov

IDefense - 18 Oct 04 Daily
NSIRC Advisory - 580-04