Computer Crime Research Center


Don't get bitten by the Internet phish

Date: December 06, 2004
Source: Times Argus
By: LESLIE BROOKS SUZUKAMO Knight Ridder Newspapers

ST. PAUL, Minn. - Online holiday shopping is expected to soar again this year, but will a new form of Internet fraud follow suit?

The answer could be very painful for some hapless shoppers and a headache for well-known e-retailers and banks.

The fraud is called "phishing" - as in "fishing" for victims - and in it, scam artists send out tens of thousands of forged e-mail messages at a time disguised as a legitimate message from a large, well-known institution.

Usually, the bogus messages purport to come from banks though retailers haven't been immune from it. Locally, Best Buy's brand logo was hijacked in a phishing scam last year, while e-retailing giants eBay and have been favorite targets of phishers.

The typical phishing message says there is some problem with the recipient's account and they should immediately click on a Web link in the message that redirects their browser to a Web site that looks like the institution's real site.

But the site is a forgery, and when the victim fills in his name and personal information like account numbers and PINs, Social Security numbers and credit card numbers and hits "submit," the site sends that information to the thieves, who can be as far away as Eastern Europe or Asia. The thieves then sell the information to ID theft rings that steal the victim's identity by applying for credit cards or loans in the victim's name.

Victims can take months straightening out the mess as the thieves pull the same scam over and over, experts say.

The forged Web sites are online for an average of less than seven days before they are discovered and neutralized or abandoned; there were 1,142 reported in October, a 25 percent increase over July, according to the Anti-Phishing Working Group, a coalition of online security firms, financial institutions and others who organized this year to stamp out this latest Internet scourge.

Despite the rise in online scams, however, online shopping is expected to jump roughly 20 percent this season.

The latest estimates from Internet commerce tracking firms range from a low of $13.2 billion by Forrester Research to $21.6 billion by Jupiter Communications, which says 86 million Americans are expected to shop online this season.

Banks and e-retailers say they are prepared for phishing and don't anticipate more problems than usual.

Target Corp. of Minneapolis, whose customers can sign up for e-mail ad service, uses the latest technology to protect against phishing attacks, spokeswoman Paula Thornton-Greear said.

And Steve Dale, a spokesman for Minneapolis-based U.S. Bank, said, "Basically for us, nowadays, it's a non-event."

Yet this past summer, U.S. Bank became a favorite target of phishing attacks. The bank made some changes in its technology that it does not want to disclose for security reasons and Dale said the phishing attacks tailed off.

In September, online retail giant joined forces with Microsoft to file lawsuits against phishers and spammers who allegedly faked or "spoofed" Amazon's Internet address and Web site.

"I don't know if we're seeing an explosion of activity at Amazon," said David Zapolsky, vice president and associate general counsel of the Seattle company. "We see it as constant static." is very careful in its own e-mail messages to its customers, and never asks them for their personal information in the e-mail or on a page entered through a Web link, Zapolsky said.

Instead, customers are encouraged to visit the Amazon page themselves, and access their accounts on their own, he said. He thinks the company's educational efforts have been paying off.

"I don't think too many of our customers are getting taken in," the attorney said.

EBay, the No. 1 holiday online shopping site with nearly 50 million users last season, also depends heavily upon educating its community to recognize phishing scams, spokesman Hani Durzy said.

Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo