April 08, 2005
Phishing incidents continue to increase. New identity theft techniques may destroy the Internet
The Anti-Phishing Working Group reports a 26% average monthly growth rate for the period of July through February 2005. Unfortunately, our previous predictions have come true with a few new twists and turns for your reading pleasure.
Microsoft Sues: A poor start
Microsoft recently filed 117 federal lawsuits against unnamed (John Doe) defendants. This amounts to a fishing expedition so they can use other legal procedures to force third parties to disclose data. It also underscores the challenge in catching these criminals since no specific individuals and or Companies were named.
Where are the other major Internet players? Folks like Google, Yahoo, Ebay/PayPal, AOL, Amazon, and many others need to think long term, and aggregate a legal attack using the Billions of dollars they collectively have. Has the thought ever crossed their minds that a few million dollars spent on consumer education is the other tactic which must be deployed.
Where are the 60 plus brands whose image is tarnished with these Phishing attacks? Names like Visa, MasterCard, Chase and Citi sit back and do not file legal action. While a reputable organization like The Anti-Phishing Working Group is a great start it's never going to significantly reduce this problem.
Certainly, I am aware of some Toolbar solutions, hot lists, and political efforts to pass legislation which sends these criminals to jail but these proprietary solutions are more of a publicity stunt and miss the effective solution which is a coordinated legal attack by numerous companies who are working together and combine this with a collective effort to educate consumers.
Given the short sited nature of most of the major players and lack of cooperation with each other, I'm not very optimistic and will guarantee you that the incidence of Phishing will continue to increase at alarming rates.
Phishing criminals are much smarter than their enemy
As the effectiveness of fraudulent emails has decreased, the criminals have and will continue to use new techniques to lure consumers into releasing their confidential data. Consider the increasing incidence of the following:
(1) An ecommerce site which may sell plane tickets, consumer goods, insurance, or even mortgages. The "Kits" are already circulating and in some cases a nice ranking in a Search Engine and or a PPC advertisement insures a steady flow of new victims. A few of these clever criminals will even recruit Affiliates or join some of the larger CPA networks who in general lack the necessary resources and desire to properly vent listings and or merchants.
(2) Fake software updates and patches will become more prevalent. Once installed on the surfers computer, they will log keystrokes, phone home, and capture screens. Writing a virus is no longer the fad. Why bother, when a criminal can make money writing and .exe which steals data.
(3) Fraudulent "Surveys" which promise numerous prizes but require personal data is already starting to appear. Win 10K but first I want your DOB, address, bank account info to wire you the funds, and much more. Need some traffic? Just purchase a site which already has traffic and recoup your investment the first month.
(4) Fraudulent Affiliate programs which make wild payout claims and target greedy and ethically challenged Webmasters. In some cases, it's not even necessary to start your own Affiliate program. Just join a greedy and well known network engaged in the CPA space and let them bring you victims.
The final words of wisdom
We expect Phishing/Identity Theft incidents to continue to increase at an alarming rate for the next few years. Our next article will focus on tips and tricks to spot the criminals in action and hopefully provide you with the necessary steps to avoid Identity Theft.
Data Source: Phishing Activity Trends Report - February 2005
Posted by Steve_S
February 14, 2005
Microsoft, eBay (PayPal) and Visa form The Phish Report Network (PRN)
In what amounts to a feeble and self serving PR move, these giants have banded together in an effort to rehabilitate their tarnished image, caused by the dramatic increase in Phishing.
What is the The Phish Report Network (PRN)?
"The Phish Report Network enables companies to reduce online identity theft by safeguarding consumers from phishing attacks. As the first worldwide anti-phishing aggregation service, the Phish Report Network provides subscribers with a mechanism for staging a united defense against phishing."
How does PRN work?
"The Phish Report Network is comprised of Senders and Receivers. Any company being victimized by phishing attacks, such as a financial services or e-commerce company, can subscribe to the Phish Report Network as a Sender and begin immediately and securely reporting confirmed phishing sites to a central database operated by WholeSecurity.
Other companies, such as Internet Service Providers (ISPs), spam blockers, security companies, and hosting companies, can join the Phish Report Network as Receivers. Subscribing as a Receiver provides access to the database of known phishing sites submitted by the Senders. Using this information, Receivers can effectively protect consumers by blocking known phishing sites in various software, email, and browser services. Additionally, real-time notifications of new phishing sites are available to Receivers to ensure up-to-the-minute protection against the latest attacks" Source
Nice try but NOT!
While I certainly support the education of surfers about the dangers of Phishing and even if we assume that the member sites will regularly update their sites with current data on Phishing attacks, PRN is not an effective device to significantly reduce Phishing. I'm also amused by the use of "defense" in the first paragraph of their mission statement.
First of all, surfers rarely go to the "real site" to see if the email they received is legitimate. They normally just click the link inside the email, submit their data, and the result is ID theft.
The first solution. SUE!
Next, haven't we learned anything from the battle against Spam? Thinking in terms of defensive actions is an exercise in futility. What should have happened first, is a series of legal procedures across multiple countries, accompanied by restraining orders to shut down the Phishing sites. These procedures are the only way to significantly reduce ID theft.
For an example of exactly what I'm talking about please take note of the numerous law suits filed in a short period of time by Microsoft and Pfizer. Microsoft sues for violations of the Federal CAN-SPAM law and at the same time Pfizer sues for violations of it's trademark on Viagra. These parallel lawsuits are an effective way to reduce abuse. You force the fraudsters to defend themselves across numerous courts, incur large legal bills, and let due process run it's course. Use this exact same principal against Phishing and you will reduce this ID theft.
My advice for you has not changed
Trash all emails which contain requests to click a link and visit a site to submit your confidential data. I don't care who the email appears to be from. Don't do business with firms who use email in this manner. Don't waste your time visiting sites for alerts and or installing ToolBars in your browser which attempt to notify you of a fraudsters Phishing site. If you wish to visit a site like PayPal then first launch a blank browser session and carefully type the URL into your browser. Look for the Padlock and double check the URL once you arrive.
Posted by Steve_S
December 12, 2004
Identity Theft: Phishers think your an easy target and some of you are!
The use of phony/forged emails and or web sites to gather your personal financial data such as your credit card numbers, account usernames and passwords, social security numbers, and other personal data is increasing at an alarming rate. And, it's going to get much worse before it gets better. Learn how to prevent this.
The emails typically contain a request for your personal financial data and a link to visit Ebay, numerous banks, PayPal, brokerage accounts, and other financial firms. They often look very legitimate and so does the web site. Click here to see a more detailed list of the various types of Phishing attacks. Unfortunately, many folks submit this data to the fraudulent web site and then the criminals steal their identity. They use this data to purchase goods and or services with your Credit Card, obtain birth certificates, obtain social security numbers, obtain drivers license, and other damaging techniques.
How do you avoid this trap?
It's very simple, NEVER respond to these emails. NEVER click on a link inside one of these emails. Ignore them and send them to the trash.
Additional precautions:
If you are visiting a site, we suggest you type the URL into your browser and then bookmark the site. We never release our personal financial information to any party who calls us on the phone. If we think the request is valid, we will use our phone number from our records to call the party back. We don't do business with any firm who request this kind of data via email and or the phone.
If you have the time, we suggest you report these Phishing attacks to the Anti-Phishing Working Group. What do you do if you have given out your personal financial information? Visit this page for outstanding advice. Unfortunately, our undercover research indicates that Phishing attacks will continue to increase and the criminals will use new techniques to fool you. Expect to see fraudulent ecommerce sites, fraudulent escrow companies, downloads that grab your data, criminals advertising in major Search Engines, and using the US mail to request your data.
Posted by Steve_S