Internet scammers casting about for people's financial information have a new way to lure unsuspecting victims: They go "phishing." Phishing on the internet is a way for scam artists to get you to give them your private identity info so they can use your credit cards and steal from you. Phishing, also called "carding," uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information.

You've heard about the eBay, Paypal, VISA, etc. scams. But maybe you wondered how they work. Well they use different tricks to get you from where you want to be to somewhere else. Some use a Microsoft Internet Explorer BUG that allows scammers to tell the URL line to display 1 address (www.eBay.com for instance) while actually being somewhere else (www.piratesite.com for instance). Netscape, Mozilla, Opera, etc. users get the real address. Some are easy to spot; others hide in little tricks.

We have intercepted and dissected a few for you to see how its done.

For eBay Scam #1 click here

For eBay Scam #2 click here

For eBay Scam #3 click here

For CitiBank Scam #1 click here

For VISA Scam #1 click here

For paypal Scam #1 click here

For paypal Scam #2 click here

For paypal Scam #3 click here

Christmas season 2003 - a new high in phishing

E-mail security company Tumbleweed Communications Corp. said that reports of e-mail fraud and phishing scams are up 400% this holiday period. Tumbleweed based their findings on reports of scam attacks submitted to anti-phishing.org, a Web site run by the Anti-Phishing Working Group, an industry group that Tumbleweed helped found.

Tumbleweed identified more than 90 unique e-mail fraud and phishing attacks in the past 60 days, including scams like the Visa attack that spoof the origin of e-mail messages and feature links to fraudulent Web pages that collect user information. On average, 5% of recipients responded to the scam e-mail, Tumbleweed said.

Tumbleweed and the Anti-Phishing Working Group estimate that more than 60 million e-mail scam messages were sent in the past two weeks seeking to take advantage of increased online transactions during the holiday season.

AOL Phishing

AOL users got a fake email requesting they go to a site to verify their account information or lose their AOL account. The URL was redirected to a fake site that collected their Credit Card info to steal their money. This scam was created by a 17 year old.

Citibank customers, and some non-customers, received an email with spelling and grammar errors, that said in part: "Dear Citibank customer, We are letting you know, that you, as a Citibank checking account holder, must become acquainted with our new Terms & Conditions and agree to it. Please, carefully read all the parts of our new Terms & Conditions and post your consent. Otherwise, we will have to suspend your Citibank checking account." The email was linked to a web site that looks like citibank's, with citibanlk's logo, and asks for a Social Security Number.

The e-mail is an example of "phishing" -- the use of spam, or unwanted junk e-mail, to lure computer users to Web sites that look like those of reputable companies, and to deceive them into divulging personal financial data.

The linked page carried an error message. A link on that page connected to a Web site, with text in Mandarin, for Nanhua Futures Trading Co., a brokerage in Zhejiang, China. Any problem on the internet is an International problem.

Microsoft Internet Explorer - Phishers friend

Phishing scams, those e-mail messages that appear to be from Amazon, eBay, or PayPal asking you to update your personal account information , have a new friend - Microsoft. Security experts have found a serious flaw within Internet Explorer that allows someone to type a legitimate URL followed by a fake URL. The flaw allows only the real URL to display within the address box, while the browser itself connects to the fake URL site.

It's a phisher's dream come true.

Unfortunately, Microsoft has only started studying it, so there's no fix from them at this time. The Open-Source community has released a fix but since it does not come from Microsoft, there is no way to insure that Microsoft won't do something to make it non-compatible - a tactic they are famous for.

One way to avoid these scams is never to give out personal information via e-mail. Also, if you need to update your Amazon, eBay, or PayPal account information online, start by going to their Web site directly, then click their secure socket layer (SSL) form from within their site; that way, you avoid ending up on some look-alike page run by a criminal hacker.

The Vulnerability

There is a flaw in the way that Internet Explorer displays URLs in the address bar. By opening a specially crafted URL an attacker can open a page that appears to be from a different domain from the current location. By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a non printing character (%01) before the "@". Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain.

Location in IE address bar should be http://www.microsoft.com

Netscape shows the REAL Url http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.php

Phishing on the rise

The number of Phishing messages continues to rise. The latest one we've seen was ostensibly from Visa Security claiming that due to a "technical security update", the user would have to log in and reactivate the account. When first received on December 5th, the message linked you back to an active-IP-address-only web site (no domain name) that asked for your credit card number, bank account, social security, and other personal information. However, by December 10th the address was disabled. With the latest IE vulnerability discovery that lets malicious sites obscure their real domain in the address windows, phishing is going to become even more of a problem. If you get a suspicious message from PayPal, eBay or your financial or credit card company, call or go to their site independently to log in. Don't click through on the messages link.

Finance & Banking Industry Bracing for Increase in Net Fraud

Banking officials and computer security experts predicted the wave of cyber scams targeting the financial services sector will soar in 2004 as the industry braces for a new onslaught of fraud schemes. The gloomy prediction comes amid a string of e-mail and Web site spoofing scams preying on banking customers.

In the past few months, a rash of e-mails posing as correspondence from some of the world's biggest banks have flowed into various e-mail in-boxes. The scams have been reported in Britain, the United States and Australia, to name a few. "We see phishing as just the toe in the water," said a security expert for one of the UK's largest banks who spoke on condition of anonymity at a summit in London dedicated to security matters in the financial services industry. "It's like credit card fraud. Phishing is not big yet. But it will be."

Top Security Threat

Banks, desperate to protect their reputation and preserve a fast-growing segment of their business, consider online fraud schemes a top security issue. "The level of concern among our customers about the risk is certainly on the increase," said Nick Sears, vice president of sales for Finjan Software, a California-based security firm that counts some large banks as its customers.

British banks have been particularly hard hit this fall with more than a half-dozen firms, including Barclays Plc, Lloyds TSB and NatWest, posting warnings to customers that they have been the target of fraudsters.

At the summit on Monday, industry officials sounded a sobering note that technological advances will do little to halt the crime wave. Instead, they said, the best defense lies with the customer. "At the end of the day, the customer has got to start being more aware of what they're doing online. If somebody came up to you on the street and asked you for your credit card, you're not going to give it away. Why would you listen to an e-mail?," the bank security expert said.

Organized Crime?

Police blame the crime wave on organized crime syndicates based in Eastern Europe and other regions where law enforcement is ill-equipped to investigate the cases. Russia, Poland, the Czech Republic and smaller countries seem to be the center of activity as their countries' Internet regulation (simple things like domain registration) seem rife with fraud; people who don't exist, companies finding their name was used, addresses that don't exist, etc. Even western european companies in Germany and France simply don't take any precautions against fraud from eastern european countries.

Banks hit by phishers

From September 16, 2003 COMPUTERWORLD story by Linda Rosencrance "Within the past week, customers of Britain's Barclays Bank and two Canadian banks have been the victims of cybercriminals who tricked them into revealing their personal account information."

In the United Kingdom, Barclays Bank PLC warned customers of an e-mail scam designed to get them to reveal confidential financial information. And in Canada, customers of BMO Bank of Montreal and Toronto-based Movement des Caisse Desjardins were hit with a variation of the same e-mail scam.

According to Barclays, fraudsters sent an e-mail message purporting to be from the bank with a link to what appeared to be the bank's Web site. It was, in fact, a spoof site. Customers were then prompted to enter personal information such as passwords and personal identification numbers, which could be used to withdraw cash or transfer funds to other accounts.

Barclays said that about 400 people contacted the bank to say they had received the e-mail, which was sent to Barclays customers and to noncustomers. Of that number, eight said that they had given out personal details and their accounts had been locked. Barclays pledged to cover any losses caused by the scam and said it was successful in closing down the spoof Web site.

Meanwhile, spokesmen for the two Canadian banks said today that hackers sent out mass e-mails hoping to target legitimate bank customers. The e-mails told consumers to click on a URL that would take them to the banks' Web sites - where they could enter to win $500. However, those links actually took viewers to a fake cloned Web site, where they were asked to enter bank account numbers and passwords.

BMO spokesman Ian Blair and Desjardins spokesman Andre Chapleau said those e-mails also contained a Trojan horse, which was activated when consumers clicked on the link. It enabled the hackers to take control of users' computers and steal information. BMO, which learned of the scam from customers, contacted the Internet service provider hosting the spoof site, which immediately shut it down, Blair said. However, that didn't deter the hackers.

"Shortly after [the spoofed site was shut down], the hackers sent out another e-mail to customers saying the hackers had been caught but in the process their personal information might have been deleted, and asked them to resubmit their information," he said. As for the Movement des Caisse Desjardins, Chapleau said his organization tracked down an ISP in Pennsylvania and had it close down the other spoofed site. He said the hosting company tracked the cybercriminals to Russia.

Origins of the Word "Phishing"

The word "phishing" comes from the analogy of scammers using web page and email lures to "fish" for passwords and financial data in the sea of Internet users. The term was coined around 1996 by hackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users. The first mention on the Internet of phishing is on the alt.2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the printed edition of the hacker newsletter "2600".

Ph has become a common hacker replacement for "F", and is a nod to the original form of hacking, known as "Phone phreaking". Phone Phreaking was coined by an early Phone hacker, John Draper (aka. "Captain Crunch"). John invented "Phone hacking" by creating the infamous Blue Box, a device that he used to hack telephone systems in the early 1970s. The blue box emitted tones that allowed a user to control the phone switches, thereby making long distance calls for free, or billing calls to someone else's phone number, etc.

By 1996, hacked accounts were called "phish", and by 1997 phish were actually being traded between hackers as a form of currency. People would routinely trade 10 working AOL phish for a piece of hacking software that they needed. Over the years, phishing attacks grew from simply stealing AOL dialup accounts into a more sinister criminal enterprise. Phishing attacks now target users of online banking, payment services such as PayPal, and online e-commerce sites. Phishing attacks are growing quickly in number and sophistication. In fact, since August 2003, most major banks in the USA, the UK and Australia have been hit with phishing attacks.

Fighting Phishing

Phishing, e-mail and Web-based efforts by online scammers to hijack personal information from unsuspecting users, faces a new obstacle. A group of global banks and technology companies have joined forces to fight the scams. The group is running a Web site, Anti-Phishing.Org (http://www.anti-phishing.org), where those who have received phishing messages can report them, and personnel will follow up by trying to track down the originators of the scams.

Tumbleweed Communications started the Anti-Phishing.Org effort with the participation of a number of banks (the majority of phishing e-mails appear to come from financial institutions), but the list of partners now includes many technology companies. Bank of America and Wells Fargo were among some of the early banks to form partnerships with Anti-Phishing.Org, says Dave Jevans, senior vice-president of marketing at Tumbleweed Communications.

"We're putting an infrastructure in place so there will be people who can respond to phishing reports in a timely fashion," says Jevans. "That's critical because the Web sites designed for collecting personal information in phishing attacks are often only in place for a day or two."

Following his interview with PC Magazine, Jevans forwarded an example of a current phishing attack that the Anti-Phishing.Org team was tracing on Monday morning. The e-mail in question appeared to come from UK bank NatWest, and asked for personal account information to be provided at a Web address. Anti-Phishing.Org personnel were able to track the IP address the e-mail was sent from, and although officials think the e-mail originated in Europe, the IP address of the message turned out to be for a computer in San Francisco. Anti-Phishing.Org officials, with the help of Pacific Bell, turned up the name and street address for the owner of the computer immediately after the phishing message had been sent.

Clearly, though, the message was spoofed-relayed from a hijacked computer or "Zombie", making the true origin hard to trace. "The owner of the computer probably had no idea he'd been hacked," says Jevans.

The Anti-Phishing.Org team is currently tracing about 20 reports of phishing attacks, according to Jevans. "It's very hard to put real numbers on the damages companies are suffering because of phishing," he adds. "Part of that is because the major banks don't want to divulge the amount of losses they're seeing for fear that it will damage their online banking businesses. But just to give one rough example, a major Australian bank has put several million dollars in reserve since August to cover damages from phishing."

Phishing attacks have appeared to come from places other than financial institutions, with Microsoft, eBay, Paypal, and Visa being recent examples.

One of the primary rules in avoiding being a victim of phishing is to never respond to e-mail requests for personal and financial information.

when you report a phishing attempt:

Thank you for your recent report of a phishing spoof email.

We attempt to analyze all reported phishing attacks and add the new ones to the Internet's most comprehensive Phishing Archive, www.antiphishing.org.

By detecting phishing attacks, educating users, and developing technology solutions, we hope to eliminate the threat of these email spoof attacks.

The Anti-Phishing Working Group is open to membership by qualified financial institutions, corporations, law enforcement agencies, public policy groups and solution vendors.

www.antiphishing.org

Exploding Phishes

This latest trick falls in line with growing amounts of data showing that online identity theft is an out-of-control problem. According to a recent FTC survey, 27.3 million Americans have been victims of identity theft in the last five years, and a whopping 9.9 million people joined this unfortunate list in just the last 12 months. "For several years we have been seeing anecdotal evidence that identity theft is a significant problem that is on the rise," said Howard Beales, Director of the FTC's Bureau of Consumer Protection, in announcing the survey results. "Now we know."

According to the Federal Trade Commission (FTC), the emails pretend to be from businesses the potential victims deal with - for example, their Internet service provider (ISP), online payment service or bank. The fraudsters tell recipients that they need to "update" or "validate" their billing information to keep their accounts active, and direct them to a "look-alike" Web site of the legitimate business, further tricking consumers into thinking they are responding to a bona fide request. Unknowingly, consumers submit their financial information - not to the businesses - but the scammers, who use it to order goods and services and obtain credit.

To avoid getting caught by one of these scams, the FTC, the nation's consumer protection agency, offers this guidance:

• If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
• Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
• Report suspicious activity to the FTC. Send the actual spam to uce@ftc.gov. If you believe you've been scammed, file your complaint at www.ftc.gov, and then visit the FTC's Identity Theft Web site (www.ftc.gov/idtheft) to learn how to minimize your risk of damage from identity theft.
• Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam. The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.