, Washington Post 2004-07-29
Maybe it's time we all went to digital self-defense school. How else can we learn how to deflect the Internet thieves pounding on our electronic doors?The pounding is getting louder, judging by recent reports of scammers trying to steal identities through counterfeit e-mails and bogus Web sites. Should the
doors give way, I'm afraid we can kiss many legitimate Internet commerce sites goodbye, because they require a foundation of trust.
If you're like me, you're already getting a flood of fraudulent e-mails in your in-box, "phishing" for personal information. Phishing, in case you hadn't
heard, is hacker-speak for electronic fishing. It means tricking people into typing user names, passwords, Social Security numbers and other personal data
at bogus Web sites.
The bait typically arrives in a message claiming that someone has hacked your account -- your banking Web site, say -- and offering a link for you to log
in and verify that you are really you. Sometimes fraudsters even put a fake form in the message, inviting you to type in personal data and click "submit"
Phisher attacks are skyrocketing. They have the Internet and banking industries terribly worried -- though apparently not enough to fix the problem yet.
In May, research firm Gartner Inc. released a survey estimating that 57 million adults in the United States had received a "phishing" e-mail. Gartner
estimated that nearly 11 million of those adults had clicked on a bogus phishing link, while 1.8 million had given out personal information.
On Capitol Hill last week, officials from the Federal Trade Commission and Commerce Department huddled with computer industry experts to discuss phishing.
The FTC is planning a summit this fall focusing on authentication tools to thwart phishing attacks. Yesterday, the American Bankers Association held a
private, two-hour webcast on phishing for its members, featuring computer experts and speakers from the Justice Department, including the FBI, and Treasury.
A big drive to identify and catch phishers will kick off next month, FBI Supervisory Special Agent Tricia Gibbs told the bankers. Dubbed Digital Phishnet,
the program involves agents from the Justice Department, Secret Service, state and local police departments and private companies.
James Jones, chief scientist and director of technology company SAIC's Rapid Solutions Lab, showed bankers how phishers use hidden code to create
official-looking e-mails and Web sites. He said phishers appear to be growing more selective in choosing targets. Rather than sending out millions of phony
e-mails and hoping to hit a few customers of a particular bank, they appear to be culling customer lists and finding other ways to identify and target folks
more likely to respond.
Meanwhile, companies whose customers are being targeted say each phishing attack is costly for them as well as their customers.
"Every time a new phishing attack is launched in EarthLink's name, we get about 40,000 phone calls from our users," said Scott Mecredy, a senior manager at
In April, EarthLink released a special "ScamBlocker" software program that anyone can use to prevent their Web browser from accessing known phisher Web
sites. More than 400,000 people are using it so far, Mecredy said.
This week, Internet address-book keeper VeriSign Inc. reported that phishing attacks are increasingly sophisticated.
VeriSign analyzed 490 bogus e-mails and found most did not contain the misspellings often seen in first-generation phishing. Also, 93 percent contained
spoofed -- or faked -- return addresses to make them look as though they came from a trusted company. VeriSign found that 37 percent lured people to sites
hosted outside the United States, making prosecution difficult.
Today, even cyber-savvy folks can get stung because the bogus e-mails and Web sites look so official, down to perfect replicas of, say, eBay's logo and the
real Bank of America Web site.
"We are seeing a pattern of much higher-quality phishing sites," said Jim Maloney, chief security officer for Corillian Corp., which runs legitimate Web
sites for a dozen financial institutions.
Corillian recently developed software that has detecting phishing attacks as early as eight days before they occurred, Maloney said, by analyzing activity
at corporate Web sites. Detection is possible because phishers spend a lot of time analyzing any site they aim to replicate, he added. Many also link to
those real sites from within their bogus e-mails to get high-quality images of corporate logos.
Increasingly, scammers know how to make it look like you are visiting a well-known Web site, often using code that floats a second window on top of the
first. They typically host their fake Web sites at other sites which they hack into illegally. The bogus site might appear to say "www.ebay.com" in the
address bar of your Web browser, even though you are actually visiting another hidden address.
Equally scary, scammers use scripting to make it look like you're in a secure connection by adding an "s" to the address line, as in
https:/www.ebay.com/login. And Jones said phishers can also replicate the small padlock at the bottom of your browser window, which is meant to indicate
when you are communicating in a secure session.
The top target of phishers in April and May was Citibank, according to the Anti-Phishing Working Group, an industry association. No wonder the financial
giant debuted those jarring TV commercials about identity theft last fall, showing burly men yakking in high-pitched voices and petite women growling like
Ebay is another frequent target, which is why in February it started offering users free anti-phishing software. The software installs a toolbar in your Web
browser that flashes green when you are communicating with the real eBay.
Of course, it would be impractical to install a different toolbar to authenticate each of your favorite Web sites. What we need are universal tools to
verify the authenticity of all e-mail we receive and all Web sites we visit.
While various private and public Internet groups have developed competing authentication standards for e-mail, slowing down implementation, there appears to
have been recent progress in getting them to work together. One system known as "sender ID" is favored by Microsoft Corp. and involves identifying the IP
address from which e-mail is sent. Separately, Yahoo has proposed a way to verify e-mail known as "domain keys" that involves cryptography.
But there is still no Web-wide tool to help us know we are visiting a legitimate Web site. Gartner analyst Avivah Litan thinks it's partly because no one
has figured out how to make money with such an authentication service. And without one, Litan worries that e-commerce could be headed for trouble.
Already, she said, anxiety over Internet security appears to be taking a toll on online commerce, which is growing but not as fast as it likely would if
online scams weren't so prevalent.
"I think we will see the slowdown accelerate,'' she predicted. "And if the problems aren't fixed, people will use the Internet for surfing, but they won't