Computer Crime Research Center


Phishers caught!

Date: December 20, 2005
By: Melissa Allison

Banks are notoriously tight-lipped about their efforts to fight fraud.

It's a curious trait because savvy criminals know what banks do to protect information, but customers do not.

Officials at Washington State Employees Credit Union, however, decided to explain how they successfully fought a recent phishing expedition.

Phishing is lingo for e-mails sent to consumers that appear to come from legitimate sources seeking financial information, such as credit-card numbers.

More identity fraud stems from stolen paper mail than from phishing, according to Javelin Strategy &Research, a research and consulting firm in Pleasanton, Calif. Still, phishing is lucrative enough that criminals keep doing it.

The credit union, based in Olympia, learned that its members were being phished in September when it was forwarded a phishing e-mail that linked it to a bogus Web site.

Credit-union officials bombarded the fake site with bad debit-card numbers, hoping that the criminals would be overwhelmed and unable to distinguish between those card numbers and any real ones members might provide.

They also contacted the Internet service provider in Lithuania that was hosting the fake site.

It took a day and a half to shut down the fake site, faster than average for phishing incidents.

Finding an ISP is fairly easy, but it takes time to contact ISP workers in another country and explain that phishing is criminal behavior. The ISPs are not the criminals, just the services used to set up bogus Web sites.

The Lithuanian ISP knew what phishing was, said Walter Cunningham, assistant vice president of information technology at Washington State Employees Credit Union. But that was not the case in May, the first time criminals phished for data from credit-union members. Then the ISP was in Sweden.

"They didn't understand phishing, so we took the angle of 'stealing,' " Cunningham said.

No one lost money in either incident.

In the first case, credit-union officials were tipped off when criminals tried to use a bad debit-card number at an ATM in Romania. The credit union could do little besides report it to the Federal Bureau of Investigation.

In the second incident, one member gave his information to the fake site, but as far as credit-union officials could tell, no one tried to use it.

That member realized he had been phished after the fraudulent site stopped asking for data and landed him at the credit union's legitimate Web site. Officials there considered it lucky that the bogus site sent people to them, because they were able to post a warning.

Even if only one or two members might be caught by a phishing scam, credit-union spokeswoman Ann Flannigan said, "we're going to do our best to minimize the impact."
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo