Hackers Gone Phishing - Again
"It's pretty clear that organized crime is behind a big portion of this," Dave Jevans, chairman of the Anti-Phishing Working Group, told the E-Commerce Times. "We're seeing the involvement of the Secret Service in the investigation."
A new Internet scam, which arrived in the last two months, has proven to be especially nasty during the online holiday shopping peak. Called phishing, the tactic is utilized to get credit card and account information from consumers who believe they are visiting legitimate bank and credit card sites.
The newest attack occurred last week when users began receiving messages from "Visa International Service" that directed them to www.visa.com, the company's official site. They were asked to visit the site to reactivate their account because Visa had implemented a new security system. However, when users clicked on the link, they were sent to a site that looked like Visa's but did not belong to the company.
E-mail security company Tumbleweed Communications, which runs the Anti-Phishing Working Group, noted that the number of such attacks rose 400 percent this holiday season. In the past 60 days, more than 90 unique e-mail fraud and phishing attacks have been launched on Internet users.
Even worse, more and more phishing attacks are expected to take place, the company says.
To lure their prey, phishers send an e-mail that asks the recipient to reactivate an account or verify an account number. The messages look official and include what appears to be a dependable link.
When a user clicks that link, the legitimate site comes up in the browser, but a pop-up window that is unrelated to the bank or credit card company will ask for the verification information -- and it is from there that the information is channeled back to the phisher. Other strategies are also used, such as hiding part of a URL so a user is directed away from the legitimate site without his or her knowledge.
Dave Jevans, chairman of the Anti-Phishing Working Group and senior vice president of marketing for Tumbleweed Communications, told the E-Commerce Times that the problem is definitely increasing in seriousness.
"There are at least five new attacks per day that haven't been done before," he said. "The problem is skyrocketing."
Quantity Plus Quality
Jevans noted that the quantity of attacks is not the only reason to be alarmed. The sophistication with which the phishing is done is also surprising and should be cause for deep concern.
"It's pretty clear that organized crime is behind a big portion of this," he said. "We know that because of the increased level of sophistication, the way it can be traced to Eastern Russia and parts of Asia, and the fact that we're seeing the involvement of the Secret Service in the investigation."
Jevans believes government involvement is a positive step toward combating the problem, but lack of international cybercrime legislation may prove to be a hindrance in enforcement.
Without an international effort, strategies to quash the growing phishing threat may come down to standard tactics like putting up technical hurdles and educating users.
"At the end of the day, the only thing that works long-term is education," said John Movina, spokesperson for the Coalition Against Unsolicited Commercial E-Mail (CAUCE). He told the E-Commerce Times that making sure people do not fall for phishing attacks is similar to preventative health care.
"You can have all the vaccines and antibiotics in the world, but the best prevention against getting sick is to teach people how to protect themselves from illness and keep themselves healthy," he said. "It's the same with Internet scams. Educated Internet users should know how to stay healthy online."
However, Jevans is not as confident that education is a sure-fire tactic. For one thing, telling people not to click on URLs in e-mail seems a drastic step, he noted. Also, the sophistication of those who launch phishing attacks means users may not be able to spot scams as easily as they have in the past, and phishers feed on such confusion.
No matter how it is addressed in coming months, Jevans said Internet users will see phishing in some form in the new year. "It's going to get worse," he said, "much worse."