Veterans Day may have been a holiday for many U.S. companies, including banks and other financial institutions, but for Internet fraudsters it was one of the most productive days of the year.
Beginning in the early-morning hours and continuing throughout Thursday and into Friday, phishing scammers launched an unprecedented number of unique new attacks against a wide variety of companies, including eBay Inc., Citibank and a number of other financial institutions. All told, more than a dozen separate banks and financial institutions were hit with new attacks, some of which employed sophisticated new techniques that proved quite effective, security experts said.
One of the new scams targeted BB&T Corp., a bank based in Winston-Salem, N.C. The e-mail directed recipients to the banks legitimate site, but then delivered a pop-up window that requested that visitors enter their account information in order to update their security settings on the site. Closing the window or trying to end the process in the Windows Task Manager utility simply caused the window to reappear.
“They used about a thousand lines of JavaScript code to make sure that no matter what the user did, the window came back up,” said Bill Franklin, president of Zero Spam Network Corp. in Coral Gables, Fla., and a member of the Anti-Phishing Working Group, which works to identify and take down phishing-related sites. “Any time that window lost focus, it always came back to the front. It was a really good piece of social engineering. We could see traffic going to the site and could just imagine the losses mounting.”
Another new attack Thursday targeted Citibank customers and attempted to steal their debit/ATM card numbers by claiming that recent transactions on their accounts could not be processed until their account information was updated.
Working with law enforcement officials, ISPs and foreign computer emergency response teams, Franklin and others in the APWG were able to take down a large number of the new sites. But new ones would appear almost as soon as the old ones were removed.
“[Thursday] was unique. If there was any doubt about whether these guys pay attention to when the bank holidays are and when the security guys wont be around, there isnt now,” Franklin said.
Since its emergence onto the Internet crime scene about 18 months ago, phishing quickly has become one of the more widespread and profitable forms of online fraud. In December 2003 there were 116 unique phishing attacks reported to the APWG. In July 2004, there were 1,974 unique attacks—nearly 20 times as many as just seven months earlier. Experts estimate that somewhere between five and 10 percent of people who receive a phishing e-mail will eventually fall victim to the scam.
The sheer numbers of new attacks and their success rate combined with the limited resources of law enforcement to investigate relatively small frauds means that prevention, and not prosecution, is likely to be the most effective weapon against phishing, experts say.
“The problem is getting people to come forward. Its hard for law enforcement to react because they dont have a lot of good statistics or large enough losses,” Franklin said. “Everything we do is driven by how willing the targets are to fund the take-down efforts. We dont have everyone on board yet. This is a problem that shouldve been beaten in three or four months. I think we could declare victory on this by the end of the year if we could get everybody on board. We could say that the runaway train of everybody just throwing up sites is over. But its a complex problem with so many players involved.”