Phishers Are Getting Together


If Citibank thought it had trouble before, just wait. The bank has the uncomfortable distinction of being the legitimate business most abused by phishers.

But a new level of cooperation among phishers is surfacing; one that can only add to its woes -- and to those of the other retailers and financial institutions whose brands and good names are highjacked.

According to the Anti-Phishing Working Group, an industry consortium, there were 1,422 unique attacks in June, the last month for which data is available. Attacks are growing at a rate of 52 percent a month, with the U.S. hosting 27 percent of those attacks.

Sophos, a vendor of enterprise anti-virus and anti-spam software, warned that, according to its analysis of phishing sites and e-mails, there is increased collaboration among those who maliciously masquerade as legitimate businesses. It said tools and resources are being swapped that amount to do-it-yourself phishing kits.

"Anyone surfing the Web can now get their hands on these kits, launch their own phishing attack and potentially defraud computer users of the contents of their bank accounts," the company warned in its all-points alert.

However, Sophos senior security analyst Chris Kraft said that, in fact, this is conjecture, since phishers rarely reveal their techniques outside of their own community.

"We track phishing sites, and in our spam traps there has been a massive increase in the number of phishing attacks we've been seeing," Kraft said. Within phishing sites, he said, "We've seen near identical file structures, names and content that have given us an indication that there is free distribution and collaboration among these phishing sites."

Phishers try to lure consumers to disclose personal information such as passwords, PIN numbers and account details. Consumers typically receive e-mails warning that they must click on a link to update their accounts. The link leads not to the site of Best Buy, PayPal or Wells Fargo, but to the dummy phishing site. If they fill out the form there, their information is sold to crooks.

Phyllis Kramer, vice president of marketing for Privacy, Inc., said phishers are getting more sophisticated. "They're starting to use opt-in marketing techniques," she said. Instead of "verify your account," newer phishing schemes invite you to sign up for a special promotion. Privacy, Inc. offers My Privacy Policy, a service that lets users set up and manage separate e-mail addresses for each company they deal with.

"They're also starting to do corporate phishing," she said. In these attacks, phishers invite users to upgrade their software by entering user IDs and passwords. The scamsters then can use those to hack into the software company's system.

Bart Lazar, a partner in the law firm Seyfarth Shaw who specializes in intellectual property, technology misuse and counterfeiting, says businesses that are victimized by phishers should, first of all, go public. "You want the public to know that this is happening," he said. "Then, you have to gumshoe it."

Lazar said companies could use a variety of Internet monitoring technologies and services to try to locate phishing sites and shut them down. They should also work with law enforcement.

In the past, Lazar has advised against litigation, because of the expense and the time it takes. "In my experience, the smartest criminals cover their tracks very well."

Sophos' Kraft said the best overall protection against phishing is to steer clear of spam.

"We define spam as unsolicited e-mail delivered in bulk with some form of call to action is the first line of defense. If you don't see the e-mail in the first place, you won't mistakenly open it," Kraft said.