Computer Crime Research Center


Cybercriminals get bolder strategies, phishing tips

Date: October 11, 2005
By: Pamela Yip

Beware of unfamiliar e-mails and never provide personal data

Cybercrooks are stepping up their attacks against your personal financial data, with more brazen, targeted and technologically advanced strategies.

In recent months, for example, the phishing e-mails I've received have included increasingly urgent pleas to get me to take the bait and click on their link.

In this day and age, you should never click on anything in an e-mail unless you have updated security filters to keep out worms and other insidious programs.

And never provide your credit card information, Social Security number, bank account numbers or any other personal data in response to any e-mail, however official-looking.

Fortunately, many Web criminals are so stupid that their phishing e-mails reveal their fraudulent nature with numerous grammatical errors and misspellings.

A recent e-mail purportedly from PayPal, the online-payment firm owned by Web giant eBay Inc., warned, "While performing it's regular scheduled monthly billing address check our system found incompatible information which seams to be no longer the same with your current credit card information that we have on file."

The e-mail wanted me to click on a link to a Web site that would look like an official Pay Pal site and "update" my information. The thieves would then use the information to drain my PayPal account, if I had one, which I don't.

It didn't matter if I didn't think I needed to update my information.

"If you didn't change any of this information, you still need to follow up the previous link and update your existing billing information because it means that our database [sic] regular scheduled update wasn't made correctly."

Another phishing e-mail, claiming to be from Bank of the West, warned that my bill-paying service will be "deactivated and deleted if not renewed immediately."

Latest ploys

Some phishers even have the gall to remind you to exercise the utmost care in divulging personal information.

"You should never give your PayPal password to anyone, including PayPal employees," one message says. "Make sure you never provide your password to fraudulent Web sites. PayPal will never ask you to enter your password in an e-mail."

And in keeping up with current events, criminals are also sending bunches of e-mails soliciting donations for hurricane victims.

Some have even tried to defraud hurricane evacuees by telling them they have to divulge personal information in order to receive financial aid.

The phishers' new tactics don't surprise Web security experts.

"Now their tone is a little bit more urgent," says Dan Hubbard, senior director of security at Websense Inc. in San Diego, a Web security company. "They say things like your account may be affecting others, so they're really making sure that you log in."

New tactics

Frighteningly, cyber-attacks also are becoming more sophisticated and difficult to detect.

"We've also seen a lot of new types of phishing attacks, which come in as e-mails, which have nothing to do with phishing," Mr. Hubbard says.

"They might come in as a greeting card."

I received one last week, saying I had received a greeting card from a "family member." I deleted it because it looked suspicious.

"In most cases, you click on a link and there's a program that asks you to run it, or a browser exploit that runs code without your knowing it," Mr. Hubbard says. "They install a keylogger on your computer."

"Keyloggers" are a type of spyware that tracks what you do on your computer and where you go on the Web.

"They wait for you to log on to your bank account, and they start listening," says Peter Cassidy, secretary general of the Anti-Phishing Working Group, an industry group.

The most common keyloggers seek access to financial-based Web sites, e-commerce sites and Web-based mail sites, according to a recent Security Trends Report by Websense.

For example, if the keylogger is set up to be on the alert for when you access your bank or credit card account, it will intercept your keystrokes when you do so.

"They can do that for 40, 50, 100 different banks," Mr. Hubbard says. "They capture your user name, your password and credit card information, and they usually send it out to a Web site where the attacker comes in later and picks it up."

To battle keyloggers, some financial institutions are having users click with their mouse on a virtual keyboard.

So now the cyber criminals have come up with "screen scrapers," which track your mouse clicks.

Phishers also are aiming at new targets, particularly smaller companies.

Smaller targets

Websense says in the first half of this year, it saw "dramatic increases in the number of smaller, regional banks being targeted, credit unions, in particular."

It's called "puddle phishing."

"By targeting a bank with just a few branches, the number of potential phishing prey is reduced to a much smaller number, sometimes just to a few thousand people," Websense says. "Nonetheless, the fact that we are seeing more and more of the smaller financial outlets being targeted by phishing attacks may indicate that this is a highly profitable scam."

As long as there's big money in it, cybercrooks will continue their cat-and-mouse game with security experts and financial institutions.

E-mail [email protected]
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-10-16 12:07:45 - its good wish to read more. the author... arup gupta
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo