Desperate times call for desperate measures, and to law enforcement officials tasked with fighting criminals online, the skyrocketing number of cyber-crimes is a full-blown crisis.
From the front lines, the call is for more of everything—more investigators, more funding and more attention from lawmakers and upper management. That call may finally be getting some attention.
While obstacles remain, those involved in the cyber-crime fight say there are growing reasons for optimism. Law enforcement agencies are sharing information more often and more widely than ever before. Investigators are more experienced. And, for its part, the technology industry is working on a variety of products that address some fundamental issues behind common cyber-crimes.
Evidence that this heightened diligence can turn the tide may be found in the battle against one of the most widespread and insidious forms of cyber-crime: phishing.
Through the clever use of company logos, verbatim text and links to convincing replicas of corporate Web sites, phishing scammers entice unsuspecting users to give up private information with appeals bearing titles such as "Problems with your account" and "Account security measures."
Despite the pilfered graphics, the messages frequently contain obvious spelling and grammatical errors that can make them more easily identifiable as fakes. However, some of the messages simply ask recipients to follow an embedded link that takes them to an exact replica of the victim companys Web site, where they are then prompted to enter sensitive information. These sorts of attacks are far more difficult to sniff out, especially given that many of them use authentic-looking URLs.
In March, there were 402 unique new phishing attacks, a 43 percent increase from the previous month, according to numbers compiled by the Anti-Phishing Working Group, an industry consortium that tracks phishing activity and comprises financial institutions, banks and vendors such as PassMark Security LLC, of Woodside, Calif., and Science Applications International Corp., of San Diego.
The schemes are getting more sophisticated with attacks that plant Trojan horses and backdoors on users PCs as soon as users open malicious e-mail messages.
"[Phishers] are starting to work with crackers and virus writers. Theyre sharing code, using common techniques and taking advantage of vulnerabilities to drop something on the machines," said Dan Maier, director of product marketing at Tumbleweed Communications Corp., a provider of secure e-mail solutions based in Redwood City, Calif., and a member of the Anti-Phishing Working Group. "Its very sophisticated code," Maier said.
Acknowledging the problem and taking a lead in the effort to thwart such scams, the Department of Justice in April issued a five-page report on phishing, warning consumers and laying out suggested defenses.
The report followed similar efforts from the Office of the Comptroller of the Currency at the Federal Deposit Insurance Corp., which urged banks to increase monitoring of phishing-type activities and expand incident-response capabilities to deal with the spike in online fraud.
Phishing has the attention of the private sector as well. One of the underlying problems that allows phishing to flourish is that it is hard to determine with any degree of certainty whether the Web site an unsuspecting victim visits is what it claims to be.
By using URL redirectors and other means of deceit, scammers can easily hide the true address of their malicious site and make it appear as legitimate as eBay.com or Amazon.com. Identrus LLC, a company that provides identity authentication services to banks and other financial institutions, is working on a solution to the problem.