Phishing Is Becoming Epidemic

Contributed by mm | August 10, 2004 11:09 PM PST

On month ago, I didn't even know "phishing" is a word; Merriam-Webster Online doesn't think it is a word either and proves I was not too ignorant. Nevertheless, we'd better know its existence now so that we can avoid becoming the next victim.

In short, phishing attacks are fake emails that appear to be from well-known companies (mostly financial institutions), ask you to go to a web site to perform certain tasks, and in the process, gain access of your confidential information like password/pin, credit card validation (CCV) code, credit card number, social security number and/or bank account number.

A typical phishing mail reads like this:

--------------------------------------

Dear Citibank Customer,

We recently noticed one or more attempts to log in to your Citibank
account from a foreign IP address and we have reasons to believe that
there was attempts to compromise it with brute forcing your PIN number.
No successful login was detected and you have full protection by now.
If you recently accessed your account while travelling, the unusual login
attempts may have been initiated by you.

The login attempt was made from:
IP address: 173.29.197.24
ISP Host: cache-0082.proxyserver.cis.com

By now, we used many techniques to verify the accuracy of the
information our users provide us when they register on the Site.
However, because user verification on the Internet is difficult, Citibank
cannot and does not confirm each user's purported identity. Thus, we
have established an offline verification system to help you evaluate with
whom you are dealing with. The system is called CitiSafe and it's
the most secure Citibank wallet so far.

If you are the rightful holder of the account, click the link bellow, fill
the form and then submit as we will verify your identity and register you
to CitiSafe free of charge. This way you are fully protected from fraudulent
activity on all the accounts that you have with us.

Click to protect yourself from fraudulent activity!

To make Citibank.com the most secure site, every user will be
registered to CitiSafe.

NOTE! If you choose to ignore our request, you leave us no choice but to
temporally suspend your account.

* Please do not respond to this e-mail, as your reply will not be received.

Regards, Citibank Customer Support
--------------------------------------

Pretty convincing, eh? If you click the link, you will be redirected to a perfect replica of the Citibank online banking site, and unsuspecting consumers can easily surrender account login and password.

More phishing mail examples can be found at the website of Anti-Phishing Working Group (APWG).

According to CardWeb, there are more than 1,000 phishing attacks in the month of June. These scammers reportedly succeed to persuade up to 5% recipients to respond to such emails.

So much for the information I have read, some of my personal notes on phishing:

- If an email looks like to be from Citibank, it does not mean it IS from Citibank. In the email world, anyone can fake up the sender information thanks to some shortcomings in the email protocols people invented in the early stage of the Internet. If you are not sure, always call the company to verify. Most of the time, simply ignoring the mail can do less harm than following the instructions in the mail.

- I had become victim of phishing attack once, almost. The mail appeared to come from PayPal and asks me to sign in to verify my identity due to some recent "suspicious activities." I followed the link and signed in, but I took a second look in five minutes and noticed the URL I went to does not belong to PayPal. I immediately went to the real PayPal site and changed my password.

- You might notice very few phishing mails are attacking Discover customers. Not coincidentally, the official online site of Discover Card is https://www.novusnet.com/, which does not appear to have any association with Discover. (Rest assured, I am not phishing you.) I cannot say if this is a good strategy for Discover or not; I will be a little bit confused if the real Discover asks me to go to novusnet.com for online banking.

- Many big names like Microsoft, RSA, Experian and Verisign are standing behind APWG, but I doubt we can turn off phishing attacks exclusively via technology. By the end of the day, you are the best and last defense for your identity in this online world.

This Post Has Received 1 Comment. Share Your Opinions Too.

Jay Ward Commented on August 11, 2004

Just last night I got hit by a fairly convincing 'phishing' attack that might have actually caught a few people had the false link actually been active. I put up a short description and analysis of the email as well as a followup on what Gmail is doing about these attacks on my blog (linked).

An informal poll of my friends shows that several of them received this exact email message, although it originated from a different source. This is my first non-ebay phish, which seems to imply that I am somewhat luckier than the rest of my friends/colleagues. At least when it comes to getting stray phish in my tank.

Jay Ward