Back
Business
Phishing attacks your e-mail
| With millions of people around, the thieves get enough chances to swindle money worldwide by the millions. |
`PHISHING' ATTACKS belong to the class of con tricks called `Social Engineering attacks.' They use fake e-mails for identity theft to break into computer systems, for stealing money, sabotage or other nefarious purposes. The Federal Trade Commission (FTC), a U.S. Government body, describes phishing as "a high-tech scam that uses spam or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information.''
First, let us coin our own glossary of `phishing' for use in this article. The `thief' sends e-mail messages. These exactly resemble genuine messages from organisations such as banks, credit card providers and e-commerce sites that provide online facilities to their members, customers or other stakeholders.
Without online facilities, there can be no phishing. Let us call these organisations `money sites.' The final targets of the thieves are the members, account holders or other stakeholders of the mosey Sites. They are the `intended victims.'
The modus operandi
The modus operandi is simple. The thieves' e-mail messages to the intended victims contain requests such as `Reconfirm your account,' which look genuine. Hyperlinks in such messages lead the intended victim to a web page which is a counterfeit of the money site. The ploy fools some of the intended victims. They may enter sensitive personal information such as their user ID and password as prompted. The counterfeit page sends the information entered to a computer designated by the thief who uses it for unlawful purposes.
For this subterfuge to be effective, the thieves need to change the e-mail address appearing as sender's address in their message. It should look like the e-mail address of the money site chosen. For this they may use `e-mail address spoofing' generally used by e-mail viruses and spammers.
Hence, the senders' addresses in phishing messages are always bogus. It is easy to counterfeit the log on or transaction pages of the money sites. The thieves just copy them from the genuine money sites themselves. Then they change the underlying computer code as they want. They may also change the displayed addresses (URL) of the counterfeit web pages through `URL spoofing.' The intended victim sees the address of the relevant page of the money site in the address bar when the real address of what the browser displays is different.
The phishing ploy may not always be effective. If the e-mail addresses have been `harvested' from the Web, the recipients may not have the facility the phishing e-mail talks of. Some may ignore such messages. In places like India, most may not enter into online financial transactions at all. Nevertheless, the thief needs to mislead just a few people in numerous attempts. Even one or two misled parties may provide a big booty.
Why the big fuss?
Then why the big fuss about phishing? With millions of people around, the thieves get enough chances to swindle money worldwide by the millions.
According to a study by the Ponemon Institute, phishing victims have lost over $500 millions in the U.S. alone. Senator Patrick Leahy (D-Vermont) is reported to have introduced an `Anti Phishing Bill 2004' (http://www.pcworld.com/news/article/0,aid,116862,00.asp)
The attacks are increasing phenomenally.
For international warnings about phishing, visit (http://news.bbc.co.uk/1/hi/business/ 3567563.stm, http://www. ftc. gov/bcp/conline/pubs/alerts/phishingalrt.htm, and http://www.us-cert.gov/cas/tips/ST04 -014.html). `Express Computers' of August 23, 2004 claims that the thieves have not spared Indian money sites also. (http://www.expresscomputer online.com/20040823/securespace01.shtml).
International workgroup
Early last year, an international workgroup was formed against phishing. Its web site is http://www.antiphishing.org/. The web site contains images of various e-mail messages sent by the thieves to iIntended victims worldwide. http://www.antiphishing.org/phishing_archive.html. These prove that the thieves have raised phishing to the level of a highly refined form of con art. Some more real life examples are available in http://www.millersmiles.co.uk/identitytheft/spoof-email-hoax-scam-archive-1.php.
However, wary intended victims do not fall for the phishing tricks. Simple precautions such as analysing the e-mail carefully, telephonic cross reference with the money sites, keeping away from the e-mail hyperlinks and accessing money sites by typing their published URL in the address bars of the browsers can keep the thieves at bay, at least for the time being. Many web sites have already listed these precautions in detail. Visit the U.S.-Cert, Express Computers and Antiphishing Organisation web sites supra, for detailed lists of these precautions, according to which the onus of defence rests entirely on the intended victims.
URL spoofing described above adds a sinister dimension to phishing threats. Outdated MS Internet Explorer (IE) browsers cannot trap URL spoofing efforts. It may be necessary to patch IE using Windows Update or other means provided by MS. One can check whether the IE in use has been patched or not by using the `URL Spoofing Test'" in http://www.millersmiles.co.uk/identitytheft/URL-spoofing-test.php. If interested, one can see a harmless demo of simple URL spoofing with a technical brief in http://www.mikx.de/index. php?p=2. However, thieves are constantly improvising and URL spoofing may mature into a potent phishing weapon. It is to be hoped that constructive technology keeps pace with the thieves.
Some of the other defences put forward so far, for the consideration of the money sites, trade associations and governments are as under:
Use of alternate mail protocols: Use of S/MIME e-mail protocol, in the place of popular SMTP and POP3 protocols, at least in messages involving money transactions, may render detection of the sender of e-mail messages easier. Widespread use of S/MIME may be necessary for the exchange of encrypted and digitally signed mails.
Further, with such caller ID enabled protocols, it is possible to develop mail filter applications easily for blocking phishing e-mails in the ISP's mail server itself. But the industry has been reluctant to adapt S/MIME on a large scale so far.
Encrypted and certified mails: Wide use of digitally signed messages by money sites may deter thieves to a large extent. Over 700 companies inclusive of many savings banks in Germany, employing some 390,000 people, with combined total assets of more than Euro 3 trillion, have started using encrypted and digitally signed e-mail messages for interacting with their customers. (http://www. c1-sec.com/presse_aktuelles. php).
Use of additional authentication procedures: Several Australian banks are stated to use `secure tokens.' These may use smart cards, USB Keys and like electronic gadgets. They generate a unique password to be entered each time one logs onto Internet banking. It is like using both the card and PIN in ATMs. The deterrent for the use of secure tokens is the cost involved both at the server side and at the client side. But there are several specific options currently available in the market.
Secret images
`PassMarks' are secret images the money sites can share with their customers. When a user comes to a money site, he enters his username and looks for his PassMark. When he sees his own personal PassMark, he knows that he is dealing with the real money site and not a fake. Then, it becomes safe to enter sensitive information. (http://www.passmarksecurity. com/solution.html)
Custom e-mail filter applications: Since so many are monitoring phishing so closely, it may be feasible to develop specific e-mail filter algorithms to minimise phishing at the mail server level itself. Proven packages like the open source `Spam Assassin' may be customised to fight phishing. The money sites can fund such development and encourage ISPs to use them.
Phising is an offshoot of spam. Unless spam is controlled, phising will remain a threat. At present it seems that the cyber world lacks the will to come down heavily on spam.
R. Mohanakrishnan
(The author can be contacted at rsmk@touchtelindia.net)
© Copyright 2000 - 2009 The Hindu