web.mit.edu online swindlers called phishers are luring unwary

8/6/2019 Web.mit.Edu Online Swindlers Called Phishers Are Luring Unwary

1/4

Printedwith

joliprint

web.mit.edu

Online Swindlers, Called Phishers, AreLuring Unwary

By SAUL HANSELL

ast year,EarthLink, the big Internet access pro-vider, went hunting for phishers.

It started a campaign to track down people who weresending e-mail messages that pretended to be fromEarthLink but were actually fraudulent attempts tosteal customers passwords, credit card numbersand other information. What it found was that ofthe dozen or so people it could clearly identify asengaged in the practice known as phishing, more

than half were under 18.

In its latest effort, EarthLink discovered a lot ofphishing e-mail messages coming from computersin Russia, other East European countries and Asia.The e-mail messages, and the Web sites they directedpeople to, were becoming much more technicallysophisticated.

A year ago, there were some phishers out there,and it was mostly teenagers and other people foo-ling around, said Les Seagraves, EarthLinks chiefprivacy ocer. Now I think we are moving to morecriminal enterprise.

Phishing attacks are growing rapidly, impersonatingInternet service providers, online merchants andbanks. Government ocials and private investiga-tors say all signs point to gangs of organized crimi-nals most likely in Eastern Europe as beingbehind many of the latest efforts.

Like any other black market, there is a stratica-tion in phishing, said Kevin E. Leininger, presidentof ICG of Princeton, N.J., an investigative rm thathas been hired by banks to nd those behind the

attacks. There are people who are rank amateurs.And there are identity-theft rings.

So far, the offenders have largely evaded the searchesto nd them. One reason is that they often use com-puter worms, spread from machine to machine, tosend the fraudulent e-mail a technique that makesit almost impossible to trace the source.

Like EarthLinks investigators, government authori-ties have managed to track down a few individuals

operating less sophisticated ruses. The F.B.I. tracedone crop of mass e-mail messages pretending to befrom the AOL Billing Center to Helen Carr, 55, whoran the scheme from her home in Akron, Ohio. (Ms.Carr pleaded guilty and was sentenced in Januaryto 46 months in prison.)

But federal investigators write off people like Ms.Carr as small-time operators. The kids in schooland the old lady in her basement make great copy,said Bruce A. Townsend, deputy assistant directorin the oce of investigations at the Secret Service,which investigates cases of credit card fraud. Butthis has transformed into something done by orga-nized criminal groups.

In February, 282 cases of phishing e-mail messageswere reported to the Anti-Phishing Working Group,a coalition of technology companies, nancial insti-tutions and law enforcement agencies. That was upfrom 176 attacks in January and 116 in December.Brightmail of San Francisco, which lters e-mailfor spam, identied 2.3 billion phishing messages

http://web.mit.edu/21w.784/www/BD%20Supplementals/Materials/Unit%20Two/Security%20Privacy%20Identity/phishers%20NYT.

Page 1
http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://web.mit.edu/http://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=ELNKhttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=ELNKhttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=ELNKhttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=ELNKhttp://web.mit.edu/http://joliprint.com/


2/4

Printedwith

joliprint

web.mit.edu

Online Swindlers, Called Phishers, Are Luring Unwary

in February, 4 percent of the e-mail it processed,compared with only 1 percent of its messages asrecently as September.

Identity theft is the single greatest type of consu-mer fraud, said Christopher A. Wray, an assistantattorney general in charge of the criminal division ofthe Justice Department, and phishing is the identitytheft du jour.

At this point, there are few sure ways for an Inter-net user to tell if an e-mail message is legitimate.So experts advise people to be extremely wary ofproviding any condential information in responseto e-mail.

The crooks are getting slicker, and the bogus Websites and e-mails are dangerously legitimate loo-king, Mr. Wray said.

No one knows how much money has been stolenthrough phishing schemes. Banks say it still seemsrelatively small compared with other forms of fraudand theft, like using stolen credit or debit cards.

One reason it is not easy to gure out how muchmoney has been lost is because many victims donot realize it when they have been eeced. Eventhose who nd an unauthorized charge on theircredit card bills and bring this to the attention of theissuers do not necessarily know that the charge wascaused by their response to a false e-mail message.

People think they are giving their credit card num-bers to AOL because there is a problem in theiraccount, said Eric A. Wenger, a lawyer for the Fe-deral Trade Commission, which has brought civilactions against several phishers. If they nd outfour weeks later there are unauthorized charges onthe credit card, it never occurs to them to connectthe two events.

Lisa Cook, a sales representative with Kraft Foodswho lives in Brookline, N.H., was one of the luckyones who discovered that she had been subject tophishing before she was signicantly harmed. Ms.Cook responded one morning, before her rst cupof coffee, to a message in her e-mail in-box seemin-gly from PayPal, the electronic payment service ofeBay. It said she needed to update her account, soshe dutifully provided her credit card and Social

Security numbers, mothers maiden name and otheridentifying information.

Luckily, she spotted a warning later the same dayabout Internet scams. Ms. Cook placed a panickedcall to PayPal, which conrmed her fear that shehad been phished.

She was able to cancel all her credit cards andchange passwords before she lost any money. Butthe experience haunts her.

It will always be in the back of my mind, she said.I worry that some day down the road, someonewill take out a mortgage using my information.

Phishing got its name a decade ago when AmericaOnline charged users by the hour. Teenagers sente-mail and instant messages pretending to be AOLcustomer service agents in order to sh or phish

for account identication and passwords theycould use to stay online at someone elses expense.After AOL switched to a at monthly rate, the samephishing methods were used to steal credit cardinformation.

These days, the same factors are driving all sorts ofspam in much greater amounts.

It doesnt cost any money to go out and copysomeone elses Web page to make it look real, saidJohn Curran, a supervisory agent for the F.B.I. Andit doesnt cost any money to spam the e-mail out toone million people.


Page 2
http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://web.mit.edu/http://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=KFThttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=EBAYhttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=EBAYhttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=KFThttp://web.mit.edu/http://joliprint.com/


3/4

Printedwith

joliprint

web.mit.edu


The phishers goal is to persuade a recipient that hehas received a legitimate message, which must bereplied to immediately.

As for motivation, phishers sometimes appeal togreed by sending an e-mail message that promisesthe recipient a prize, asking for a credit card num-ber only to bill for shipping costs. More often, theyrely on fear.

The initial hook is something alarming, Mr. Curransaid. They tell you they will shut down your accountor you have been charged for child pornography.Once they get you in a state where you are agitatedor excited, they can elicit an emotional response.

The open technology used in both e-mail and Webbrowsing make it easy to create convincing fakesand dicult for recipients to verify who is reallybehind them. Even people with only modest techni-

cal skills can take graphic elements from a legitimateWeb site and make a credible copy. (Many phishingattempts last year were riddled with typographicalerrors and awkward language, but now it appearsthat most phishers have brushed up on their Englishor hired proofreaders.)

Phishers often create Internet addresses that closelyresemble legitimate ones. Some have used domainsthat included yahoo-billing.com and eBay-secure.com. How is the typical user to know those are notreal, but billing.yahoo.com is?

In response, Microsoft has modied Internet Ex-plorer, the most popular Web browser, to make itharder to fool users and it has more changes plannedfor the next browser update planned for releasethis summer.

A few Internet companies are going further. EBayand EarthLink have both developed toolbars thatcan be added to Internet Explorer to warn users ifthey are looking at known fraudulent sites.

But Howard Schmidt, a vice president for securityat eBay, acknowledged that these approaches andeBays frequent warnings to its customers and Pay-Pals have their limits.

Technology can solve 60 percent of the problem,he said. Education and awareness can solve 20percent, and no matter how good the industry is,there will be people who fall victims so 20 percent

will have to be handled by law enforcement.

But even the small-time phishers who have beencaught show how simple it is to use easily accessiblehigh-technology tools to fool people. In February,Alec Scott Papierniak, 20, a college student in Man-kato, Minn., pleaded guilty to wire fraud. He hadsent people e-mail messages with a small programattached that purported to be a security updatefrom PayPal. The program monitored the usersactivity and reported their PayPal user names and

passwords back to Mr. Papierniak.

Prosecutors say that at least 150 people installed thesoftware, enabling Mr. Papierniak to steal $35,000.

While most of those prosecuted so far for phishinghave been in the United States, eBay, working withthe Secret Service, has investigated a series of scamsoriginating in Romania. More than 100 peoplehave been arrested by Romanian authorities. Oneof them, Dan Marius Stefan, convicted of stealingnearly $500,000 through phishing, is now serving30 months in a Romanian prison.

Mr. Stefan sent e-mail messages that appeared tocome from eBay to people who were unsuccessfulauction bidders, advising them of similar merchan-dise for sale at even better prices. To purchase thegoods, the message recipients were told to providebank account numbers and passwords and then towire money to an escrow site a fraudulent one

Mr. Stefan had set up.


Page 3
http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://web.mit.edu/http://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=MSFThttp://web.mit.edu/redirect/marketwatch/redirect.ctx?MW=http://custom.marketwatch.com/custom/nyt-com/html-companyprofile.asp&symb=MSFThttp://web.mit.edu/http://joliprint.com/


4/4

Printedwith

joliprint

web.mit.edu


The nancial losses of most phishing victims, parti-cularly those subject to credit card fraud, often endup being absorbed by banks and their insurancecompanies.

But the costs are real.We get 20,000 phone callsevery time one of those goes out, and it costs us 100grand, said Garry Betty, EarthLinks chief execu-tive. I got so mad one month when we had eight

attacks, he said, explaining that he is pressing hislegal department to nd someone important to makean example of.

We havent found one yet, Mr. Betty added, butbefore 2004 is over, Im going to get one.

Get home delivery of The Times from $2.90/week


Page 4
http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://joliprint.com/http://web.mit.edu/http://www.nytimes.com/adx/bin/adx_click.html?type=goto&page=www.nytimes.com/yr/mo/day/technology&pos=CircBottom&camp=nytcirc_footerb&ad=CirculationLink&goto=http%3A%2F%2Fhomedelivery%2Enytimes%2Ecom%2Fcgi%2Dbin%2Fgx%2Ecgi%2FAppLogic%2BFTContentServer%3Fpagename%3Duser%252FContentMgt%252FPromoFeature%252FPromoFeatureT1P%26ExternalMediaCode%3DW93AAhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&page=www.nytimes.com/yr/mo/day/technology&pos=CircBottom&camp=nytcirc_footerb&ad=CirculationLink&goto=http%3A%2F%2Fhomedelivery%2Enytimes%2Ecom%2Fcgi%2Dbin%2Fgx%2Ecgi%2FAppLogic%2BFTContentServer%3Fpagename%3Duser%252FContentMgt%252FPromoFeature%252FPromoFeatureT1P%26ExternalMediaCode%3DW93AAhttp://web.mit.edu/http://joliprint.com/

web.mit.edu online swindlers called phishers are luring unwary

Documents