April 13, 2005 2:30 PM PDT

Bigger phishes ready to spawn

(continued from previous page)

mimicked antiphishing missives sent out from eBay and other companies, telling recipients that eBay would never ask for personal information in an e-mail and inviting them to log onto the company's site for more details.

By inserting the attempt among legitimate sites and incorporating antifraud rhetoric, phishers could pull in more targets, said Dan Ashby, a senior vice president at Mail-Filters.

Related feature
Have you been phished?
Check here to see whether
an e-mail that appears to be
from your bank or an online
merchant is actually an attempt
to defraud you.

"If a user clicked every link in the e-mail except the phishing link, they'd be taken to real eBay pages, some of which even offered advice on fighting phishing," Ashby said. "But all these guys need is for someone to become less observant and click that one fraudulent link and sign in, and the result would be the same. Phishers are getting smarter, and it's going to get even harder to separate real messages from the companies you do business with from the more advanced phishing schemes."

Pushing the tech envelope
Online criminals have also begun adopting more-advanced technology. These more-sophisticated phishing methods range from the relatively simple (such as using unprotected URLs maintained by real businesses to redirect users to phishing sites) to the extreme (such as using JavaScript code to add content on top of legitimate pages, a practice known as cross-site scripting).

In one style of attack, which has earned the nickname "pharming," online thieves try to redirect people from legitimate sites to malicious ones using "DNS poisoning." The scammers target the servers that act as the white pages of the Internet--a key part of cyberspace that's known as the domain name system, or DNS--and replace the numeric addresses of legitimate Web sites with the addresses of their malicious sites.

There is evidence that when a new form of phishing is reported, another variation on the theme appears, as criminals try to stay one step ahead of the law. For instance, shortly after cross-site scripting began to garner media coverage, researchers at Internet security company Netcraft saw some fraudsters loading their content into the internal frame rendering on Web pages, which would allow attackers to victimize people who had turned off JavaScript applications to protect themselves.

This sort of rapid adjustment is proof that more professional criminals and technologists have turned their attention to phishing, according to Paul Mutton, Internet services developer at Netcraft.

"The work has been getting much more professional over the last six months," Mutton said. "The attacks include a lot more clever tricks, like cross-site scripting, and other things that try to exploit browser vulnerabilities. The redirect sites might not be as technologically advanced as scripting, but they probably easier to set up and run, so there's a lot of thought going into this on the part of the thieves."

The answer for now is continue to educate businesses and consumers about the problem, the Anti-Phishing Working Group believes. The group hopes that better collaboration between the companies being targeted, law enforcement officials and government regulators will soon create better resources for fighting phishing.

"We need more industry cooperation about sharing information on attacks in a rapid manner--about where these attacks are coming from, about correlating that data, and taking the sites down," Jevans said. "We need better communication with law enforcement. Those guys are not yet equipped to deal with this stuff--they're focused on fraud in the real world. Tracking down (online) criminals is a lot different. There's no warehouse full of stolen goods when you're talking about information."

Without this collaboration, and even with better industrywide resources, phishing is a problem that's only just begun to rear its head, Jevans added.

"It's fair to say that there's no end in sight right now," he said. "Phishing will get worse--it's almost a certainty."

Previous page
Page 1 | 2 | 3

3 comments

Join the conversation!
Add your comment
Bigger Phishes ready to spawn
This well written article was especially timely for me to have read. I sent it to my bank and all I thought needed to be alerted to the requirement of ever vigilent preparedness and acuity of this danger
to all in every aspect of cyberspace. I only hope there can be appropriate penalties paid by those who would defraud, rob, and swindle using the internet.
Thank you for helping keep us alert and informed.
Posted by hoboso (1 comment )
Reply Link Flag
DITTO
'nuf said
Posted by qazwiz (208 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.