Reeling in the victims

Phishing has snowballed into its own highly lucrative industry for fraudsters – an industry that has been linked to organized crime, including drug trafficking and money laundering.

This online crime-wave has proved a massive headache for the financial sector and its customers alike so who better to speak to about this 21st phenomenon than Dave Jevans, Chairman of the Anti-Phishing Working Group (APWG).

Flick through a dictionary to the entry ‘phishing’ and you will find it describes it as ‘the activity of defrauding an online account holder of financial information by posing as a legitimate company’. It’s a relatively new word but one that has become hard to ignore in the world of online finance. In the space of four or five years this devious method of extracting money from online customers has exploded, spreading like wildfire amongst the criminal fraternity keen to make a quick buck (or a heap load more) from gullible individuals.

Its rapid growth certainly caught the institutions napping and even today some online account holders are still oblivious to the threat that it poses to their personal details. Sure, the banks have tried to educate customers about falling for bogus emails directing them to the scam artists’ fake sites but they still have a long way to go to get everyone clued up and aware of the tell-tale signs. According to a recent study by the Anti-Phishing Working Group (APWG) new phishing sites rocketed to a staggering 55,000 in April – up from almost 21,000 the previous month.

Feeling slightly paranoid about that scary statistic and the vulnerability of my online accounts I pick up the phone and arrange an interview with Dave Jevans, Chairman of the APWG, in order to shed some light on what the banks are doing to fight back. A few days later and the meeting is set but despite my hope for reassurances that April’s startling figures were a blip, Jevans pulls no punches in his assessment of the situation. In fact during our conversation he announces that there was no real solution to the problem and describes the industry’s response as chaotic. So much for putting my mind at ease, I muse. “We have been looking at it [phishing] for four or five years and we have realized that there is no silver bullet, so you are never going to stamp it out,” Jevans revealed. “What we have seen is that every time that somebody comes out with a counter-measure the really smart bad guys start innovating within a couple of days. Within three months they are on a completely different tactic which largely defeats whatever that new technology was before.”

It seems that when phishing first surfaced the institutions buried their heads in the sand and denied it was happening. However, that tactic backfired when increasing numbers of customers reported being duped by the gangs running these bogus sites. Jevans explains: “At the time my experience was that the financial institutions would largely deny that it was happening. They would say ‘it is not a problem, we don’t know what you are talking about’ because they were hoping that it would go away. And the big software vendors like Microsoft thought the same way.” So what changed their stance on phishing? “In 2005 we saw technologies companies started to help solve the problem and 2006 was the time when financial institutions realized that there was no point in denying that it was happening because everyone was getting the emails anyway. So they stepped up to the plate and said ‘it’s real and here’s how to protect yourself and here is what we are doing about it’.”

Jevans suggests that 2007 was the year that phishing was acknowledged as a widespread problem. But while the banks blacklist these sites once they are discovered, the phishers just move on and target another institution’s customers. In fact, some phoney sites are up and running for just a few hours before the plug is pulled – not by the bank’s but the fake site itself. “A lot of these sites are only up for a couple of hours – they don’t wait for it to be taken down anymore. So they run the site for two hours and it automatically takes itself down, sends off the log files, cleans all the evidence and when you go to the site there is nothing there. What you will find is it is really hard to gather the evidence because it is automatically removing itself.”

Also, the speed at which the gangs are able to exploit potential weaknesses is startling. Recently, less than 24 hours after news of a firm being indicted for money laundering, the phishers had registered domain names and sent out emails telling people that they needed to register in order to get money out of closed accounts. They just have to wait for people to follow the instructions in the email, before raiding their accounts.

Stereotypes

One thing I was keen to find out from Jevans was the profile of a typical phisher. It maybe just me but the thought conjures up images of an Eastern European IT whizkid hunched over a computer in his rundown apartment as he sends out emails day and night trying to reel in his victims on the other side of the world. The statistics seem to dispel this myth, however. Indeed, half of all phishing attacks in the United States originate in the United States. The same is true for the UK – another financial heavyweight. Jevans points out that Spain and Brazil, as well as the Former Soviet Union (FSU) have become hotbeds for mal-ware and crime-ware attacks.

He also argues that the innovators of these scams are an elite group, which then spawns thousands of people to launch copycat attacks. Then, there are those who are not in it for the money, surprisingly. “There are lots of mom and pop shops and lots of people that do it just for malicious intent and don’t intend to get money. And some people do because they want to see how stupid people fall for giving out there passwords and some of them do nothing with the information. They do however sometime post the information of IRC boards for the fraudsters to download.” He continues: “The actual hardcore group pulling money out of these scams is a much smaller community but it is increasingly tied to mobs and drug activities and older forms of money laundering.”

So with organized criminals behind some of the scams the question is what the banks should do. Educating customers of the dangers is the top of agenda but the gangs know that plenty will still believe the con and reveal account usernames and passwords. One bank to suffer heavily from online fraud is Scandinavian banking giant Nordea. In 2005 it was forced to shut down its online arm after being the victim of a sophisticated phishing attack. And early this year it was discovered that hackers had used malicious software purporting to be anti-spam software to steal 8m Kronor ($1.1 million) from 250 customer accounts over a three months period. Jevans says that that it all boils down to cost: “To educate takes money, though. You need to come up with a bank neutral message that can be delivered through multiple channels – through letters, billboards, brochures and advertising the bank. You need to make a concerted effort to do a multi-million dollar advertising campaign but not many institutions want to chuck millions of dollars into a pot with other banks.

But what about investing more on detecting suspicious transactions? Again money comes into the equation, it seems. “Generally, people don’t want to spend money on technology checking 99.9 percent good transactions. Therein lies the problem – they [phishers] can make a lot of money by spreading the fraud around. And you have a few number of groups in general that are doing the majority of it; maybe 80 percent of it is done by ten major groups.”

Jevans is of the opinion that too many people within the industry are pulling is different directions on dealing with phishing. “The problem really is the overall industry. We waited so long to get the email authentication but what happened over the past three years is that a splintered group went out and created new and proposed standards for email authentication and none of them agreed. So you have four different email identification technologies that none of the major guys can agree on – so none of the small guys want to act on it. Until Yahoo, Microsoft, Google and AOL all agree the same thing how is any small guy supposed to know what to do; it is complete chaos out there.”

Outfox the fox

And while chaos reigns the phishers don’t appear to be relenting their pursuit; they are switching tactics and inventing ever-more ingenious tactics. Recently pharming has become the buzzword in bank security and another thorn in the side of the institutions. This scam has evolved from phishing and is where the fraudsters attack the DNS (Domain Name System) so that when someone types in a bank’s web address they are directed to the fake site. The victim’s details are captured and the con artists waste no time in emptying accounts.

“What we saw at the end of last year was that because these black lists were starting to be used the bad guys started using huge unique sub-domain URLs so that every single email would have a single domain. That largely defeated the black list technology. So they are definitely getting much more sophisticated.” So what does Jevans see as the answer as solutions, if there are any? “The answer is going to be blacklists, heuristics, email identification, and website and user identification, as well as possibly transaction authentication. A combination of all those things applied in different measures will make the environment more sure and more trusted but it will require a lot of technology and a long adoption curve, especially in email authentication.” So it seems the phishers are still feeding well on their victims, for the time being anyway. Eradicating this crime appears to be nigh on impossible but through collaboration the financial industry and software providers can slash the rising number of new sites cropping up. The next 12 months could be crucial.