Internet Attackers on Phishing Expeditions

By Larry Seltzer  |  Posted 2003-12-01 Print this article Print

When asked to update your Citibank account online, or reverify personal info for PayPal, just say: "no!" Like spam though, this Internet scam only needs a few people to bite in order to pay for itself.

As I said in my 2004 Outlook column, our e-mail accounts are now filled with some recent advances in the field of "phishing." If you havent been paying attention, the term refers to a particular type of Internet scam in which a user is tricked into giving up personal information, like bank account information. According to Wordspy, the term phishing comes from the fact that attackers are "fishing" for data. Why "ph"? Wordspy says something about using sophisticated techniques. If thats where it comes from, its a pretty lame etymology. According to an FTC advisory on the problem, the technique is also known as "carding." The FTC alert has some good guidelines for non-technical consumers.

Check out eWEEK Labs Tech Outlook 2004: A Look Ahead at Security for more views on the future of security.
In the past, phishing attacks usually appeared as e-mail from some legitimate company; Citibank and PayPal are frequent targets, for example. The e-mail usually says something to the effect that the company is reverifying account information and needs you to re-enter it. The e-mail will either have a link to a similarly fraudulent Web site or perhaps an HTML form directly in it.

Plenty of people fall for these e-mails, even though its not hard for a more-sophisticated user to see right through them. I found it easy to tell that the Citibank e-mail about my account was phony since Im not a Citibank customer. However, many people who receive such e-mails must assume that some mistake was made and chalk it up to mega-corporate incompetence.

Ive received many such messages myself, and in almost every case by the time Ive received the e-mail, the corresponding Web site is already down. Thats because the big companies that are targeted by these attacks are pretty good at contacting (threatening) the hosts of the offending pages and persuading them take the page down.

At the same time, there are a few things you can look at for guidance if you suspect youre being phished. The first thing to look for is if the message asks you to send personal information directly in e-mail. This is a really bad idea, although its not actually proof that the requestor is a scammer. I once had a hosting account at Hostway and contacted technical support. The support person actually asked me in e-mail for my username and password. That was the moment that I decided to take my hosting business elsewhere.

If the message doesnt come from an address at the company it supposedly represents, thats also suspicious, but not dispositive. Sometimes real companies will hire third parties to send out bulk mailings for them. There are good ways and bad ways to handle this of course, but it means you have to dig a little deeper.

Next: How to pick out the phish.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel