Phishing casts a wider net


20 Sep 2005

As if spam wasn’t annoying enough, PC users now have to contend with an ever-increasing number of emails that try to cheat us out of our money. According to the latest figures from SurfControl, phishing attacks are now at the same level as adult-related spam mail and are growing at a faster rate.

Since the beginning of this year, the number of phishing scams has risen from 1pc to 8.3pc of the total volume of spam in circulation, says SurfControl. It found the number of emails generated between January and June that attempted to con recipients into handing over sensitive personal information is now equivalent to the number of adult spam emails.

A phishing scam is a type of social engineering attack that dupes recipients into revealing their online banking passwords, credit card details or other confidential information. The information sought is usually financial in nature.

In such cases, users receive a message that appears to come from their bank that will ask them to visit a website to confirm their login details. The message directs them to a fake webpage that resembles the genuine banking site; the page captures the users’ passwords that can then be used by the fraudsters to access their victims’ accounts — and their money.

Statistically, 10 million Americans are thought to have been defrauded, with the average cost per person calculated at €500. It takes an estimated 30 hours to clean up the mess, sorting out credit ratings with the necessary agencies. Explaining the success of such scams, Sean O’Connell, technical services consultant with Computer Associates (pictured), says: “People accept the ‘legitimacy’ of emails being sent.”

The nature of email and the internet means the problem is an international one. Over the past year, there have been versions of these scams directed at customers of the Irish banks AIB, Bank of Ireland and the credit card provider MBNA. The gardaí have previously indicated that some Irish citizens have been defrauded of money as a result of phishing attacks, although the sums involved aren’t thought to be large.

According to research released separately by the Anti-Phishing Working Group, 5pc of such fraud attempts are successful. The scams are indiscriminate. In other words, the criminals have no way of knowing that every recipient will be a customer of the named bank, but as with spam emails, the senders only need a small percentage of successful replies to make a profit.

The location of phishing sites is highest in the US, but this number is now growing in China, Korea and Germany. Although phishing websites are based there, they may be innocently hosted by compromised PCs that are now controlled by someone other than their owners, according to O’Connell. Sites stay up for as little as six days and then they move to avoid detection.

“You have multiple instances of phishing websites: for example, if you get the mail in Ireland, you could go to a site near here, but if you receive the mail in the US, you may connect to a site in Germany,” says O’Connell. “There are levels of redundancy and duplication built in, so that computers act as proxies to one another, hiding who the user is actually talking to.”

So what can users do? O’Connell advises recipients to look closely at the URL displayed in the message to see if it looks similar to a genuine address. “A lot of times you find there are internet addresses put in an email, eg internet protocol addresses or network addresses. Phishing sites are very well crafted. You’ll find it very difficult to see the difference between a legitimate site and a fake one. Does it look legitimate? Are there any strange characters in the address? Is it a secure connection? Does it use HTTPS? Those letters should prefix the web address. If they don’t, something smells wrong because no bank would give you access to information without a secure connection.”

People who suspect something is wrong are advised to check their accounts regularly, to watch for any unusual transactions or activity that suggests the account may be compromised.

Steve Purdham, chief technology officer at SurfControl, adds the threat is as much a risk to businesses as to individuals. “We have seen the widespread use of tactics that facilitate identity fraud as well as spyware that leaks sensitive company data.” Purdham calls for more to be done to educate internet users, whether consumers or workers, about the risks involved and what they can do to avoid being conned.

By Gordon Smith