Thursday, October 23, 2008

Crooks Going Phishing

Posted by Mark Brousseau

An interesting article from this week's LA Times:

In desperate times, scammers pounce

Phishing expeditions are on the rise, with customers of struggling and failed banks the latest favored victims.

By David Colker
Los Angeles Times Staff Writer
October 19, 2008

The economic meltdown is not devoid of economic opportunities. There's one group of folks who might do just fine: scammers.

Security experts have spotted an increase in phishing, the scam that uses fake e-mails to get people to hand over personal financial information that could be used to drain bank accounts or for identity theft.

It was no surprise to Dave Marcus, director of security research at McAfee Inc., one of the largest computer security firms.

"Whatever is happening out there in the world, you will see scams that take advantage of that," he said.

The banking crisis -- with its mergers and takeovers -- was tailor-made for phishing. It gives scammers the opportunity to send out e-mails claiming that personal account information is needed because of the changes.

McAfee began seeing phishing reports related to the crisis shortly after the well publicized failure and sale of Washington Mutual Bank in late September.

"Generally, if the issue is in the news on Monday morning, we'll start seeing the phishing start on Monday evening or Tuesday," Marcus said.

Even a bank deal that falls apart can generate phishing scams. This month, several security websites warned that an e-mail supposedly from Wachovia bank was being circulated.

"Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago," the e-mail said. Bank customers were directed to go to a site where they would fill in account information in preparation for the takeover.

But the Citigroup buyout never happened -- Wells Fargo instead made a deal to acquire Wachovia. And the e-mails were bogus.

Wachovia put a warning on its website, stating that it never sends e-mails asking customers to "provide, update or verify your personal, business, account or other confidential information."

Phishing scams often begin with a spoofed e-mail that appears to come from a legitimate source.

In some cases, fraudsters exploit security loopholes to hijack a genuine e-mail address, making it appear that is where their messages are originating. Or they simply resort to using addresses that are close to the real thing.

Examples sited by security experts include misspellings that use a double "v" to simulate a "w," as in the fake

Also, the number "1" has been used as a stand-in for the letter "l," as in

But in many cases, the scammers don't even bother to make addresses look legitimate. They rely on alarming or alluring messages. The text might say that if personal information isn't immediately disclosed, the account will be frozen or shut down.

Another variation is an urgent warning that an account is under attack by hackers and the information is needed to "verify" the true account holder.

Money is sometimes used as a lure. For the last couple of years, fake messages supposedly from the Internal Revenue Service have promised recipients a tax refund. But to deposit this windfall, the individual's banking information is needed.

Some of the e-mails are laughably poor attempts at fooling the public. A recent one read, "Recommends banks to process Visa card to renew your data quickly before being delete your Visa card."

It's like spam from Yoda.

But a link on the e-mail led to a legitimate-looking Citibank Web page where banking information was requested. These simulated sites, which can be created using simple Web tools, are the second part of the phishing scam.

They can be so convincing that, in an academic study presented in 2006 at the Conference On Human Factors in Computer Systems, well-crafted phishing websites were able to fool 90% of participants.

Obviously, the public needs to be educated about phishing, which seemed to be the aim of an e-mail in wide circulation in England. It was addressed to customers of Barclays, one of the country's largest banks.

"Like other UK based banks, we are currently seeing very large numbers of 'phishing e-mails' in circulation," it said. "Many of these look as if they are from Barclays, typically encouraging you to click a link and type in your login details."

The e-mail went on to explain how phishing works and requested, "please spend a few minutes to upgrade to our latest security."

Then it gave the link to a website. And as you guessed, it was a phishing site, designed by scammers to get their hands on account information. The e-mail was a fake, but so polite.

At the very bottom it said, "We apologize for the inconvenience and thank you for your co-operation."

You could almost hear them laughing, literally all the way to the bank.

No comments: