Online Swindlers, Called 'Phishers,' Lure Unwary
By SAUL HANSELL, New York Times, March 24, 2004, original
It started a campaign to track down people who were sending e-mail messages that pretended to be from EarthLink but were actually fraudulent attempts to steal customers' passwords, credit card numbers and other information. What it found was that of the dozen or so people it could clearly identify as engaged in the practice known as phishing, more than half were under 18.
Last year, EarthLink, the big Internet access provider, went hunting for phishers.
In its latest effort, EarthLink discovered a lot of phishing e-mail messages coming from computers in Russia, other East European countries and Asia. The e-mail messages, and the Web sites they directed people to, were becoming much more technically sophisticated.
"A year ago, there were some phishers out there, and it was mostly teenagers and other people fooling around," said Les Seagraves, EarthLink's chief privacy officer. "Now I think we are moving to more criminal enterprise."
Phishing attacks are growing rapidly, impersonating Internet service providers, online merchants and banks. Government officials and private investigators say all signs point to gangs of organized criminals — most likely in Eastern Europe — as being behind many of the latest efforts.
"Like any other black market, there is a stratification in phishing," said Kevin E. Leininger, president of ICG of Princeton, N.J., an investigative firm that has been hired by banks to find those behind the attacks. "There are people who are rank amateurs. And there are identity-theft rings."
So far, the offenders have largely evaded the searches to find them. One reason is that they often use computer worms, spread from machine to machine, to send the fraudulent e-mail — a technique that makes it almost impossible to trace the source.
Like EarthLink's investigators, government authorities have managed to track down a few individuals operating less sophisticated ruses. The F.B.I. traced one crop of mass e-mail messages pretending to be from the "AOL Billing Center" to Helen Carr, 55, who ran the scheme from her home in Akron, Ohio. (Ms. Carr pleaded guilty and was sentenced in January to 46 months in prison.)
But federal investigators write off people like Ms. Carr as small-time operators. "The kids in school and the old lady in her basement make great copy," said Bruce A. Townsend, deputy assistant director in the office of investigations at the Secret Service, which investigates cases of credit card fraud. "But this has transformed into something done by organized criminal groups."
In February, 282 cases of phishing e-mail messages were reported to the Anti-Phishing Working Group, a coalition of technology companies, financial institutions and law enforcement agencies. That was up from 176 attacks in January and 116 in December. Brightmail of San Francisco, which filters e-mail for spam, identified 2.3 billion phishing messages in February, 4 percent of the e-mail it processed, compared with only 1 percent of its messages as recently as September.
"Identity theft is the single greatest type of consumer fraud," said Christopher A. Wray, an assistant attorney general in charge of the criminal division of the Justice Department, "and phishing is the identity theft du jour."
At this point, there are few sure ways for an Internet user to tell if an e-mail message is legitimate. So experts advise people to be extremely wary of providing any confidential information in response to e-mail.
"The crooks are getting slicker, and the bogus Web sites and e-mails are dangerously legitimate looking," Mr. Wray said.
No one knows how much money has been stolen through phishing schemes. Banks say it still seems relatively small compared with other forms of fraud and theft, like using stolen credit or debit cards.
One reason it is not easy to figure out how much money has been lost is because many victims do not realize it when they have been fleeced. Even those who find an unauthorized charge on their credit card bills and bring this to the attention of the issuers do not necessarily know that the charge was caused by their response to a false e-mail message.
"People think they are giving their credit card numbers to AOL because there is a problem in their account," said Eric A. Wenger, a lawyer for the Federal Trade Commission, which has brought civil actions against several phishers. "If they find out four weeks later there are unauthorized charges on the credit card, it never occurs to them to connect the two events."
Lisa Cook, a sales representative with Kraft Foods who lives in Brookline, N.H., was one of the lucky ones who discovered that she had been subject to phishing before she was significantly harmed. Ms. Cook responded one morning, before her first cup of coffee, to a message in her e-mail in-box seemingly from PayPal, the electronic payment service of eBay. It said she needed to update her account, so she dutifully provided her credit card and Social Security numbers, mother's maiden name and other identifying information.
Luckily, she spotted a warning later the same day about Internet scams. Ms. Cook placed a panicked call to PayPal, which confirmed her fear that she had been phished.
She was able to cancel all her credit cards and change passwords before she lost any money. But the experience haunts her.
"It will always be in the back of my mind," she said. "I worry that some day down the road, someone will take out a mortgage using my information."
Phishing got its name a decade ago when America Online charged users by the hour. Teenagers sent e-mail and instant messages pretending to be AOL customer service agents in order to fish — or phish — for account identification and passwords they could use to stay online at someone else's expense. After AOL switched to a flat monthly rate, the same phishing methods were used to steal credit card information.
These days, the same factors are driving all sorts of spam in much greater amounts.
"It doesn't cost any money to go out and copy someone else's Web page to make it look real," said John Curran, a supervisory agent for the F.B.I. "And it doesn't cost any money to spam the e-mail out to one million people."
The phisher's goal is to persuade a recipient that he has received a legitimate message, which must be replied to immediately.
As for motivation, phishers sometimes appeal to greed by sending an e-mail message that promises the recipient a prize, asking for a credit card number only to bill for shipping costs. More often, they rely on fear.
"The initial hook is something alarming," Mr. Curran said. "They tell you they will shut down your account or you have been charged for child pornography. Once they get you in a state where you are agitated or excited, they can elicit an emotional response."
The open technology used in both e-mail and Web browsing make it easy to create convincing fakes and difficult for recipients to verify who is really behind them. Even people with only modest technical skills can take graphic elements from a legitimate Web site and make a credible copy. (Many phishing attempts last year were riddled with typographical errors and awkward language, but now it appears that most phishers have brushed up on their English or hired proofreaders.)
Phishers often create Internet addresses that closely resemble legitimate ones. Some have used domains that included "yahoo-billing.com" and "eBay-secure.com." How is the typical user to know those are not real, but "billing.yahoo.com" is?
In response, Microsoft has modified Internet Explorer, the most popular Web browser, to make it harder to fool users and it has more changes planned for the next browser update planned for release this summer.
A few Internet companies are going further. EBay and EarthLink have both developed toolbars that can be added to Internet Explorer to warn users if they are looking at known fraudulent sites.
But Howard Schmidt, a vice president for security at eBay, acknowledged that these approaches — and eBay's frequent warnings to its customers and PayPal's — have their limits.
"Technology can solve 60 percent of the problem," he said. "Education and awareness can solve 20 percent, and no matter how good the industry is, there will be people who fall victims so 20 percent will have to be handled by law enforcement."
But even the small-time phishers who have been caught show how simple it is to use easily accessible high-technology tools to fool people. In February, Alec Scott Papierniak, 20, a college student in Mankato, Minn., pleaded guilty to wire fraud. He had sent people e-mail messages with a small program attached that purported to be a "security update" from PayPal. The program monitored the user's activity and reported their PayPal user names and passwords back to Mr. Papierniak.
Prosecutors say that at least 150 people installed the software, enabling Mr. Papierniak to steal $35,000.
While most of those prosecuted so far for phishing have been in the United States, eBay, working with the Secret Service, has investigated a series of scams originating in Romania. More than 100 people have been arrested by Romanian authorities. One of them, Dan Marius Stefan,
convicted of stealing nearly $500,000 through phishing, is now serving 30 months in a Romanian prison.
Mr. Stefan sent e-mail messages that appeared to come from eBay to people who were unsuccessful auction bidders, advising them of similar merchandise for sale at even better prices. To purchase the goods, the message recipients were told to provide bank account numbers and passwords and then to wire money to an escrow site — a fraudulent one — Mr. Stefan had set up.
The financial losses of most phishing victims, particularly those subject to credit card fraud, often end up being absorbed by banks and their insurance companies.
But the costs are real."We get 20,000 phone calls every time one of those goes out, and it costs us 100 grand," said Garry Betty, EarthLink's chief executive. "I got so mad one month when we had eight attacks," he said, explaining that he is pressing his legal department to find someone important to make an example of.
"We haven't found one yet," Mr. Betty added, "but before 2004 is over, I'm going to get one."