PHISING-THE NEW ONLINE CYBERCRIME
Karnika Seth – Cyber lawyer & Consultant practicing in the Supreme Court of India and Delhi High Court
THE MEANING OF PHISING
In the cyber-world phising (also known as carding and spoofing) is a form of illegal act whereby fraudulently sensitive information is acquired, such as passwords and credit card details, by a person/entity masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or instantaneous communication.
ORIGIN OF PHISING
Early attempts were made at phising in 1990s when offenders originally created on AOL accounts with fake, algorithmically generated credit card numbers – these accounts could last weeks or even months until new ones were required. AOL subsequently, brought in measures in late 1995 to prevent this, so early AOL crackers resorted to phising for legitimate AOL accounts.
Phising on AOL was closely linked with the warez community that exchanged pirated software. For instance, a cracker might pose as an AOL staff member and send an instant message to a potential victim, asking the victim to reveal his or her password. Later, AOL’s policy enforcement with respect to phising and warez became stringent and removed pirated software off AOL servers. AOL simultaneously developed a system to quickly deactivate any account involved in phising besides adopting other steps to combat this form of cyber fraud.
Of late, more recent phising attempts have been witnessed in relation to the customers of banks and online payment services. Such targeted versions of phising have been termed as spear phising.
STRONG INDICATORS OF PHISING ATTEMPTS
” If an e-mail addresses a user in a generic fashion (“Dear valued eBay member”) it is likely to be an attempt at phising.
” The appearance of links in the message- e.g the link http://firstname.lastname@example.org/ may deceive a casual observer into believing that the link will open a page on www.google.com, whereas the link actually directs the browser to a page on members.thinkbank.com.
” Misspelled URLs or the use of subdomains are other common tricks used by phishers ,e.g URL, http://www.namebank.com.example.com
” Cross site scripting- In this attack method users may receive a message saying that they have to “verify” their account, by following a link to what appears to be an authentic website; in reality, the link is forged, although it is very difficult to spot that the link is manipulated to perpetrate this attack.
” Internationalised domain names in web browsers might allow visually identical web addresses to lead to different, possibly malicious, websites
ESTIMATE OF FINANCIAL LOSSES DUE TO PHISING
It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phising, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD each year as their clients become victims to the phising activity.
The U.K also suffers from the drastic increase in phising activity. In March 2005, the amount of losses suffered by victim clients in the UK was approximately £504 million GBP.
There are various strategies being adopted nowadays to combat phising, including drafting of specific legislation and devising of special technology targeted to tackle phising.
Technology based anti-phising strategies
” Training users how to identify and deal with phising attempts.
” Use of anti-phising software programs-The programs work by identifying phising contents on websites and e-mails.
” Use of Spam filters which also help protect users from phishers
” Some organizations have introduced unique verification tools like challenge questions, secret images which serve purpose of a verification password
Judicial and Legislative Anti-phising Initiatives
On January 26,2004, the Federal Trade Commission filed the first lawsuit against a suspected phisher. The defendant, a Californian teenager, allegedly created and used a webpage designed to look like the America Online website, so that he could steal credit card numbers and commit online fraud.
Microsoft is also taking effective steps to tackle the problem of phising. On March 31,2005, Microsoft filed 117 federal lawsuits in the U.S District Court for the Western District of Washington. The lawsuits accuse “John Doe” defendants of using various methods to obtain passwords and other secret user information.
In late March 2005, a 24-year-old Estonian man was arrested for using a Trojan Horse, installed after victims visited his fake website, which used a keylogger that subsequently allowed him to monitor users’ typing.
Recently Valdir Paulo de Almeida was arrested , for leading one of the largest phising crime rackets, which in 2 years stole between $18 and $37 million USD.
UK authorities jailed two men in June 2005 for their role in a phising scam, in a case connected to the USSS Operation Firewall, which targeted notorious “carder” websites.
In the United States, Democrat Senator Patrick Leahy introduced the Anti-phising Act of 2005 on March 1,2005. The federal anti-phising bill proposes that those criminals who create fake web sites and spam fake e-mails in order to defraud consumers could be imposed a fine up to $250,000 and a jail terms of up to five years.
Phising is a new kind of cybercrime and method of committing online financial fraud. It demonstrates the high risk involved in communicating personal or confidential data, such as account numbers, credit card numbers or identity card numbers, via the Internet without being certain that the actual addressee is one’s familiar institution.
It is advisable to adopt reliable and secure technology based anti phising tools and mechanisms and to gain general awareness on identifying and dealing with phishers Recent Legislative and Judicial initiatives visavis anti-phising are a step in the right direction and will help to strongly safeguard and protect interest of the Internet users and deter possible offenders from committing phising or similar online frauds.
*Karnika Seth is a practising Advocate in the Supreme Court of India and the Delhi High Court and is a Counsel and legal advisor to both Foreign and Indian Clients in the field of Intellectual Property Rights, Cyberlaws, Information Technology and InternationalTrade.
Ms. Seth is a Visiting Lecturer to the Indian Law Institute and the Amity law School, New Delhi where she teaches specialized courses in Cyber laws and Intellectual Property Rights. She has been invited as a Guest speaker to deliver presentations on issues relating to Internet/cyberlaws and Intellectual property by the Indian Council of Arbitration ,Amity Law School, Delhi, Amity Law School, Chandigarh, Rajasthan Chapter of Commerce and Industry ,Indian Law Institute and other prominent Institutions.
Her papers on the subject of Cyberlaws, Arbitration, Contract Laws ,Intellectual property laws have been published in reputed Legal Journals and newsletters such as the Indian Council of Arbitration Newsletter, Amity Law Review ,Patent and Trademark Reporter, Lawyers Update and other legal journals.
You may mail your queries to the author at Karnika@sethassociates.com
Copyrighted 2005 Karnika Seth. Permission to make digital or paper copy of these works for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage .It is permissible to abstract these works so long as credit is given. To copy in all other cases,or to republish it or post on a server or to redistribute requires special permission from Author at email@example.com