Computer Crime Research Center


Arnold Schwarzenegger vs. phishing

Date: April 18, 2006

It’s been six months since Gov. Schwarzenegger signed the state’s anti-phishing law, but it doesn’t seem to be working.

Oliver Friedrichs, director of emerging technologies for Symantec Security Response, reports he currently tracks 7.9 million phishing emails a day, an increase of 39 percent from 2005. Symantec Security is a unit of Symantec Corp. (SYMC), seller of the popular Norton security software.

Phishing is a form of fictitious solicitation, typically in e-mail, with the intent of getting people to divulge sensitive information, commonly personal and financial. Most phishing e-mails are made to look like they come from an official institution, directing users to a Web site that is designed to steal user names and passwords. The term phishing was coined by crackers, people who engage in illegal system or software cracking, referring to fishing for information.

The Anti-Phishing Act allows victims to sue for the amount of damages incurred or $500,000, whichever is greater. The problem, according to Craig Cardon, a partner specializing in intellectual property and advertising with the law firm Sheppard, Mullin, Richter &Hampton LLP in San Francisco, is that phishers operate too far underground.

“It’s rare that you’ll find the person who sent you the phishing e-mail or they won’t have the money to pay damages and if they do, they’re set up offshore,” he said. “The anti-phishing law is really symbolic.”

“It’s outright theft,” Friedrichs agrees. “When you compare it to spam, spam is trying to entice you to buy a legitimate service. Phishing would be more like breaking into your house and actually stealing jewelry as opposed to knocking on your door and trying to sell you something.”

Most phishing attempts come from Asia and Eastern Europe, which makes them that much harder to prosecute. Experts worry that phishers are constantly one step ahead of the security industry. At the RSA Conference 2006, Microsoft Corp. (MSFT) Chairman Bill Gates addressed this cat-and-mouse chase: “For every improvement we make, they look for our vulnerabilities,” he said.

The two most commonly phished sites are PayPal and its parent, eBay Inc. (EBAY), the online auction house. Amanda Pires, a PayPal representative, said it’s due to the high volume of customers with financial information on their accounts.

“We have a dedicated team that focuses on this problem,” she said. “Often if the fake Web site is in the U.S., we can get it pulled down in two hours.”

Phishers, whoever they are, are culturally keen people. Experts warn of IRS scams now that taxes have been filed, and Hiep Dang, director of threat research and engineering with Aluria Software, recently discovered a scam involving the popular social Web site, MySpace.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo