April 13, 2005 2:30 PM PDT

Bigger phishes ready to spawn

(continued from previous page)

recipient logged onto a Web page and entered an account name and password, according to people familiar with the phishing attempt. Salesforce.com declined to comment.

Armed with that type of information, an individual could conceivably make off with a company's most valuable proprietary data. The criminal possibilities ranged from selling off closely guarded customer information to marketers to committing online industrial espionage.

Security experts say online criminals are becoming more savvy in the way they choose targets.

"We're seeing attempts to steal corporate intranet logon information," said Dave Jevans, the chairman of the Anti-Phishing Working Group.

Many types of phishers in the sea

Criminals have adopted a range of strategies to try to part online consumers from their personal data.

E-mail phishing
Crooks send out fraudulent e-mails that look like they come from legitimate sources and ask people to click through to spoofed versions of company Web sites.

Online thieves redirect people from legitimate sites to malicious ones, mainly using a "DNS poisoning" technique. Thieves target domain name servers--the white pages of the Internet--and swap out the numeric addresses of the Web sites.

IM phishing
Fraudsters distribute IM messages that contain links to fake Web sites. The messages are crafted to look like they come from a known contact on an individual's IM buddy list.

Cross-site scripting
Tech-savvy criminals use JavaScript code to put their content on top of legitimate pages--most often, the Web sites of banks. Commonly, they insert a fake customer login box meant to steal password data.

URL hijacking
Opportunists find and exploit unprotected URLs maintained by real businesses to redirect users to phishing sites.

"With that sort of information, you're talking about a total security breach, getting into a company's network," Jevans said. "And that information is valuable to a lot of people, especially hackers. When you consider the big picture, phishing is getting even more painful right now."

Attacks designed to hit specific groups of people who hold valuable information will likely increase, said Jayne Hitchcock, a cybercrime specialist who advises law enforcement agencies and company executives about online fraud. Hitchcock also is author of the book "Net Crimes & Misdemeanors: Outmaneuvering the Spammers, Swindlers and Stalkers Who Are Targeting You Online."

"Sending a phishing e-mail out to everyone on the Web has had some effect, but not the kind of impact you imagine that some of these more custom-made attacks might have," Hitchcock said. "When you know that a certain group behaves a certain way, or is accustomed to getting information from a known source over e-mail, there's a greater opportunity to play on people's habits and get them to hand over the goods."

Schemes that use instant-messaging services rather than e-mail to distribute fake links are another new way of phishing, Hitchcock said. She pointed to an attack launched via Yahoo Messenger last month as an example. The messages often appear to be sent to IM users from someone on their contact list. Teenagers in particular are among those that could be successfully hooked by such bait, she said.

"The message is coming to them from someone on their buddy list," Hitchcock said. "That's a different level of threat than an e-mail sent from someone you don't communicate with on that medium, and it presents a much greater risk as well. Our research tells us that teens are fast and loose on the Internet and will share information more readily than most adults, so their information could get out via something like IM phishing and ruin their credit before they even get started in life."

Another twist on the old formula keeps the tried-and-true e-mail messages but hides a spoofed URL in a legitimate Web site address.

In one case, antispam technology specialist Mail-Filters detected a phishing attempt that listed one fake eBay Web page among a number of real URLs hosted by the online auctioneer. The message also

Previous page | CONTINUED:
Page 1 | 2 | 3


Join the conversation!
Add your comment
Bigger Phishes ready to spawn
This well written article was especially timely for me to have read. I sent it to my bank and all I thought needed to be alerted to the requirement of ever vigilent preparedness and acuity of this danger
to all in every aspect of cyberspace. I only hope there can be appropriate penalties paid by those who would defraud, rob, and swindle using the internet.
Thank you for helping keep us alert and informed.
Posted by hoboso (1 comment )
Reply Link Flag
'nuf said
Posted by qazwiz (208 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.