Tricks of the Trade
April 1, 2005
What hope do we have against the evil phishers if the programs designed to protect us don't work?
Phishing, the art of duping users into giving up passwords, PINs and bank-account details via ingenious e-mails, is the fastest growing scam on the Internet. In the first week of October 2004, the Anti-Phishing Working Group, one of several industry bodies formed to address the issue, reported catching a whopping 161 different phishing scams. In the last week of January this year, the group identified more than 950. I could find seven references in the main print media to phishing in 2002; the next year there were 406. In 2004 there were 10 times that number. That's a lot of scams, and a big jump in column inches (many of which were contributed by yours truly). So, surely, we're finally winning against these guys? Surely we know all their tricks, and can avoid them?
Sadly not. Between $100 million and $1.2 billion has been lost globally to phishing attacks in the past year or so, depending on whom you believe. That's a lot of cash. Especially if it's yours. There are bad people out there and they are smarter than most of the people holding your money. And, perhaps more important, smarter than most of the people promising to protect you.
Here's an example of why. Last month, I received an e-mail purporting to be from the U.S.-based Charter One Bank, now owned by Citizens Financial Group Inc. I have accounts at neither, but apart from that I could find little in the e-mail to indicate that it was fraudulent. The link I was being asked to click on -- usually the suspicious part of the e-mail -- went to Charter One's real Web site, and, although the address was long, it didn't raise any serious question marks. As a result, clicking on the link in the e-mail message took me to a Web site that was clearly legit. Nothing about the site looked dodgy, although the form, requesting my banking details, passwords and PIN numbers didn't quite jell with what I knew about banking security. Banks don't usually ask us to input all that stuff online, after all. But this was the bank's own Web site, for goodness sake.
Without Warning
This is scary enough: If I'm looking hard at a Web site and I can't tell whether it's legitimate or not, what hope does my Auntie Ethel have? But that isn't the scariest bit. To be certain, I fired up some toolbars -- pieces of software that latch onto my Internet browser and warn me if something is amiss with a Web site. These toolbars look at the site you're trying to visit and will peer closely inside the link to see whether it's what it says it is. Four of the toolbars reported back that I was indeed at Charter One's Web site. But, and here's the rub: I wasn't OK. I was looking at a scam Web site within a legitimate site, fooling the toolbars, and nearly fooling me.
This, for those of you interested, is called script injection. What the scammer has done is to exploit a hole elsewhere on the Charter One site, which allows him or her to inject a small window, or frame, into the Charter One page. That frame contains the form requesting all my details. While the form isn't technically on the Charter One Web site, as far as I'm concerned it looks like an honest banking Web page. And, scarily, that is also the conclusion of four out of the five anti-phishing toolbars I relied on. Only one, from United Kingdom-based Internet security company Netcraft Ltd. (www.netcraft.co.uk), threw up a warning message. The rest would have allowed me to breezily fill in my account details.
So what does this tell us? First off, phishers are smart and we are dumb. This weakness in the code that programmers use to build Web sites isn't new, and banks have known about it for a while. Netcraft's Internet services developer, Paul Mutton, tells me that he had notified Charter One about this hole a week earlier but the bank apparently didn't take any action. (Charter One didn't respond to my e-mail requests for comment, although the hole was removed shortly after I notified the bank about it.) Banks have got to be smarter about this, and realize that they must constantly monitor their own Web sites to see whether they are vulnerable.
Simple Safeguards
This is just the beginning: Institutions will eventually have to figure out more secure methods of protecting the assets of their customers, and of communicating with them. It's no good telling customers that they'll never be asked to give away personal details online because phishing scams are ingenious enough to bypass that with a plausible explanation: In the Charter One case, by connecting the request for a record update with last year's purchase of the company by Citizens Financial Group.
Lastly, don't trust software to keep you safe. Anti-phishing toolbars might be a good idea as an initial line of defense. But, as my tale illustrates, they aren't foolproof. This script injection was just one breach in what will be an increasingly sophisticated online war. Phishers will get smarter, leaving us confused and anxious.
My advice: Educate yourself, if you can, about what is happening. Download the Netcraft toolbar. If that all seems a tad overwhelming, follow some simple rules: Don't respond to any e-mail, click on any link or open any attachment until you've picked up the phone and called the institution involved.
And, finally, always bear in mind that only a fool will offer you foolproof protection from scammers.
