Ramasastry: Hooking phishermen

By Anita Ramasastry, FindLaw.com

Phishing is a particularly pernicious type of Internet identity theft scam. So far, little has been done to stop it. But that will change if a promising new anti-phishing bill introduced by Senator Patrick Leahy becomes law.

Phishing works through deception. An Internet user receives an official-looking e-mail that purports to have been sent by a familiar business or organization such as Internet service provider (ISP), bank, online payment service, or even a government agency. The user reads the message because it looks official.

The message says that the Internet user needs to "update" or "validate" his account information by clicking on a given link -- or else some dire consequence, such as suspension of the user's account, may occur.

The link takes the user to a copycat web site that looks very much like the site of the business or organization mentioned in the e-mail.

The user is asked to input personal and confidential information such as a credit card number, user name, password for the supposed "update" or "validation" of his or her account information. But that information will actually be used for identity theft.

According to an industry consortium, the Anti-Phishing Working Group (APWG), the word "phishing" comes from an analogy: Internet fraudsters use e-mail lures to "fish" for confidential passwords and financial data from a "sea" of Internet users.

Apparently, the term "phishing" was coined around 1996 by hackers who were stealing America On-Line Internet accounts by getting unsuspecting AOL users to divulge their passwords.

The first Internet mention of phishing was reportedly on the alt.2600 hacker newsgroup in January 1996. However, the term may have been used even earlier in the printed edition of the hacker newsletter "2600".

APWG also notes "by 1996, hacked accounts were called "phish", and by 1997 phish were actually being traded between hackers as a form of currency. People would routinely trade 10 working AOL phish for a piece of hacking software that they needed."

Hackers commonly replace the letter "f" with "ph" -- for instance, the original form of hacking, done by phone, was known as "phreaking." Hackers used a special blue box that emitted tones to control the phone switches. Through phreaking, they could make long distance calls for free, or bill calls to someone else's phone number.
Sophisticated phishers

Phishing has been thriving. According to the APWG, there were 1,422 separate phishing scams in June. This was a 52 percent increase from May. (500 of these attacks targeted Citibank.) And according to Leahy, during the last 12 months alone, estimated losses exceeded $2 billion, and the losses continue to mount.

Phishing attacks have also grown more sophisticated. Rather than stealing passwords to access the Internet for free, scam artists are now engaged in large scale identify theft. Early phishing attacks were by novices, but there is evidence now that some attacks are staged by organized criminal enterprises..

Phishing attacks now target users of online banking, payment services such as PayPal, and online e-commerce sites, such as eBay. Since August 2003, most major banks in the USA and the UK, for example, have been the targets of phishing attacks.

Educating Internet users is not a complete solution.

Readers who are sophisticated about the Internet may assume that "phishing" may die of its own accord, as more and more Internet users get wise to the trick. And it's probably true that, as awareness of phishing grows among consumers, law enforcement and web hosting services, the incidence of phishing may shrink.

But getting rid of phishing through education alone may well be difficult to impossible. And new or technology -naïve Internet users may always be easy pickings for phishers. Even the savvy may sometimes be fooled. Phishers are getting better and better at mimicking genuine e-mails and websites. Where e-mails and websites were once suspicious-looking -- rife with misspellings or devoid of convincing corporate logos, and so on -- that is no longer always true.

In fact, there is an Internet quiz designed to test a user's phishing IQ, which makes this point very well.

Sometimes there's no way -- short of picking up the phone -- for users to verify whether a given e-mail came from their bank or not, beyond checking the return address (which can be forged).

If a customer has no reason to think the e-mail is fraudulent in the first place, they aren't likely to spend the time tracking down someone at the bank or Internet retailer to check its authenticity. Many customers may not want to spend hours on hold or navigating a series of telephonic prompts when trying to get through to a specific company.

Even now, although phishing has existed since 1996, one in twenty Internet users may fall prey. According to a study by the APWG, by hijacking the trusted brands of well-known banks, online retailers, ISPs and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.

With the cost of sending bulk e-mail very low, that's a high return rate for the phishers. After all, one successful phishing expedition can mean they strike gold: Consumers suffer credit card fraud, identity theft, and financial loss.
Why phishers are rarely caught

The fraud can be perpetrated very quickly, and afterward, the perpetrator can "vanish" into cyberspace.

The phony websites typically migrate from one server to another very rapidly -- in an effort to stay a step ahead of ISPs and law enforcement.

In one scam documented by the APWG, the perpetrators operated a spoofed web page on seven different servers over a period of just 12 days. And the servers were all over the globe -- including four in Korea, two at American ISPs, and one in Uruguay.

The average phishing web site is online for only about 54 hours, according to June data from the APWG. Some sites, however, have been able to remain online for more than two weeks before being shut down or abandoned.

Existing federal laws do criminalize phishing -- but mainly after the damage is done, when a consumer has already been defrauded as a result of the phishing. Those measures include the laws against wire fraud, identity theft, credit card fraud, computer fraud, and a number of trade laws -- and may even encompass the new federal CAN SPAM Act.

However, enforcement actions have been relatively few.

In 2003, the Federal Trade Commission brought a civil enforcement action against a person who engaged in phishing -- sending e-mails pretending to be from AOL that directed users to an "AOL" billing page." He used the information users entered to charge online purchases and open accounts with PayPal.

Perhaps in part because of his age, the defendant in that case got off lightly. He was barred from sending spam in the future and was ordered to relinquish $3,500 of his "ill-gotten gains."

The agency charged the defendant's practices were deceptive and unfair, in violation of the FTC Act. In addition, the FTC alleged that the defendant's practices violated provisions of the Gramm-Leach-Bliley Act, which designed to protect the privacy of consumers' sensitive financial information.

More recently, the FTC and the DOJ took actions to shut down a phishing operation run by Zachary Keith Hill of Houston, Texas. The operation hijacked logos from AOL and PayPal in order to con hundreds of consumers into providing credit card and bank account numbers. DOJ obtained a criminal conviction, and Hill is awaiting sentencing.

In addition, President Bush recently signed legislation to increase penalties for identity theft-related crimes. The Identity Theft Penalty Enhancement Act, (ITPEA) establishes a new crime of "aggravated identity theft" This is defined as using a stolen identity to commit other crimes -- and phishing would certainly qualify. Convictions for aggravated identity theft -- including phishing -- would carry a mandatory two-year prison sentence.
No need to wait for phishers to strike

The government's current approach consists of waiting for a person to be victimized before bringing a prosecution or other enforcement action against the phisher.

So even if the savvy reader who opens a phishing e-mail forwards it to the FTC or DOJ, enforcement won't happen until a later, naïve reader opens the e-mail and falls victim to the scam.

Also, the savvy and naïve reader alike may suffer a harm from phishing: a diminished trust in the Internet's system of addressing and linking.

Senator Leahy has noted that trust in this system is crucial to the Internet fulfilling its potential as a medium for all manner of secure communications. Yet current law fails to protect against this harm.

That's where Leahy's Anti-Phishing Act of 2004, introduced last week, comes in. It targets the entire scam, all the way from sending the e-mail to creating fraudulent sites. And it averts free speech issues by exempting parodies and political speech (via e-mail or on websites) from its reach -- and by stipulating that the perpetrator must have the specific criminal purpose of committing a crime of fraud or identity theft.

The Act is smart because it criminalizes the bait -- not just successful phishing. It makes it illegal to knowingly send out spoofed e-mail that links to sham websites, with the intention of committing a crime. And it criminalizes the operation of the sham websites that are the locus of the wrongdoing .

If the bill were to become law, then each and every element of the scam would become a felony subject to five years in prison and/or a fine up to $250,000.
Other measures in the works

Even if theAnti-Phishing Act becomes law, it won't clear the Internet "sea" of all phishermen.

Many phishers appear to send their e-mails from overseas, and it may be difficult to prosecute persons who reside offshore. And finding quickly-vanishing websites and phishers -- who may take advantage of Internet anonymity -- may be time-consuming, costly, and in some cases futile.

The computer industry is hard at work on new technological solutions to the problem Anti-virus and anti-spam companies are trying to add additional filters to their programs to target these e-mails -- but the challenge is to filter out only the fakes, not legitimate communications consumers have signed up to receive.

Meanwhile, security experts predict that we may be months, or years, away from implementing more extensive e-mail authentication measures. So for now, the Internet's waters still aren't entirely safe to swim in.

Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.

Solve the problem of identity theft if your wallet was stolen

Was your wallet lost or maybe you were pick pocketed? The crooks didn't care that much about your cash, or your credit cards, everyone knows to cancel them. Credit Card Companies provide continuous fraud monitoring for misuse of credit cards. They also provide their clients with zero liability if they are a victim and if they contact them right away. However, losses from Debit Cards are a different matter and may become your responsibility.

Reduce the stress of dealing with the theft

So if the credit card companies provide relief and monitoring why would you need this service? Because what the crooks will do is get a hold of someone like a utility company and tell them "I've moved, here is my new address". The utility company will say "prove who you are". Of course that is easy for your crook, they stole everything they need from you. When they get a bill with a new address now they will open up new credit cards after the limited fraud alert is removed from your account.

Of course when they don't pay the bills the banks will hand the account over to a collection agency. The collection agency will find you and start harassing you and of course they will turn a deaf ear to your complaints about identity theft. They are working on commission and will certainly sue you because they know paying their bill is cheaper then hiring a lawyer.

How do you stop this, who do you call, where should you write, do you send them registered or certified? We can help because we have this all organized and automated. We will prevent your identity from being stolen and we will do it quickly and easily. We exist to help you solve this problem and our Better Business record proves it.

This is the total price, there is no set up fee and there is no monthly charge.

Product Pricing	Single	Couple	Household
Prevention Service	$99.95	$124.95	$149.95
Checks & Cards
Pay Pal

This is a guaranteed service!

We will prevent Debit, Credit or ATM card accounts being set up by others using your good name and your good credit.

We will prevent identity crooks from redirecting your bank, debit/ATM cards, and credit cards statements. We will prevent thieves from changing your address with any other creditors.

We will assist you with the police regarding warrants.

If a collection agency starts harassing you for debt, we will assist you and stop them.

You will also receive a comprehensive monitoring system to insure that you are receiving all of your statements and your credit reports in a timely manner.

You will receive a complete system for checking on the four (not three) credit bureaus so you receive credit reports on a regular basis.