--Fraudulent e-mail scams
show more sophistication.*
by Saul Hansell,
New York Times
EarthLink, the big Internet access provider, went hunting
It started a campaign to track down people who were sending e-mail
messages that pretended to be from EarthLink, but were
actually fraudulent attempts to steal customers' passwords,
credit card numbers and other personal information.
What it found was that of the dozen or so people it could
clearly identify as engaged in the practice know as
phishing, more than half were under 18.
In its latest sweep, EarthLink discovered a lot of phishing e-mail
messages coming from computers in Russia, other East
European countries and Asia. The e-mail messages and
the Web sites they directed people to were becoming much
more technically sophisticated.
"A year ago, there were some phishers out there, and it was mostly
teenagers and other people fooling around," said Les
Seagraves, EarthLink's chief privacy officer. "Now I
think we are moving to more criminal enterprise."
Phishing attacks are growing rapidly, impersonating Internet
service providers, online merchants and banks.
Government officials and private investigators say that all
signs point to gangs of organized criminals--most likely in
Eastern Europe--as being behind many of the latest efforts.
"Like any other black market, there is a stratification in
phishing," said Kevin Leininger, president of ICG, an
investigative firm that has been hired by banks to find the
people behind the attacks. "There are people who are
rank amateurs, and there are identity-theft rings."
So far, the offenders have largely evaded the searches. One
reason is that they often use computer worms, spread from
machine to machine, to send the fraudulent e-mail
messages--a technique that makes it almost impossible to
trace the source.
Government authorities, like EarthLink's investigators, have
managed to track down a few individuals operating
less-sophisticated scams. The FBI traced one crop of
mass e-mail messages purporting to be from the "AOL Billing
Center" to Helen Carr, 55, who operated the scheme from her
home in Akron, Ohio. (Carr pleaded guilty and was
sentenced in January to 46 months in prison.)
But federal investigators write off people like Carr as small
phish, not the king phishers.
"The kids in school and the old lady in her basement make great
copy," said Bruce Townsend, deputy assistant director of the
office of investigations at the Secret Service, which
investigates cases of credit card fraud. "But this has
transformed into something done by organized criminal
In February, 282 separate cases of phishing e-mails were reported
to the Anti-Phishing Working Group, a coalition of
technology companies, financial institutions and law
enforcement agencies. That's up from 176 attacks in
January and 116 in December.
Brightmail, which filters e-mail for spam, identified 2.3 billion
phishing messages in February, 4 percent of the e-mail it
processed. As recently as September, only 1 percent of
its messages were such deceptions.
"Identity theft is the single greatest type of consumer fraud,"
said Christopher Wray, an assistant attorney general at the
Justice Department, "and phishing is the identity theft du
There are very few sure-fire ways for an Internet user to tell
whether an e-mail is legitimate. So experts advise
people to be extremely wary of providing any sensitive
information in response to an e-mail message.
"The crooks are getting slicker, and the bogus Web sites and
e-mails are dangerously legitimate looking," Wray said.
No one knows how much money has actually been stolen through
phishing schemes. Banks say it still appears to be
relatively small compared with other forms of fraud and
theft, like using a stolen credit or debit card.
it is not easy to figure out how much money has been lost to
phishers is that many victims do not realize they have been
fleeced. Even those who find an unauthorized charge on
their credit card bills and bring it to the attention of the
issuer do not necessarily know that the charge was caused by
their response to a fake e-mail.
"People think they are giving their credit card numbers to AOL
because there is a problem in their account," said Eric
Wenger, an attorney for the Federal Trade Commission, which
has brought civil action against several phishers. "If
they find out four weeks later there are unauthorized
charges on the credit card, it never occurs to them to
connect the two events."
Lisa Cook, a Kraft Foods sales representative who lives in
Brookline, N.H., was one of the lucky ones who discovered
she had been subject to phishing before she was seriously
harmed. Cook responded on morning, before her first
cup of coffee, to a message in her e-mail inbox seemingly
from PayPal, the electronic payment service of EBay.
It said she needed to update her account, so Cook dutifully
provided her credit card and Social Security numbers,
mother's maiden name and other identifying information.
Fortuitously, she spotted a warning later the same day about
Internet scams. Cook placed a panicked call to PayPal,
which confirmed her fear that she had been phished.
Cook managed to cancel all her credit cards and change passwords
before she lost any money. But the incident still
"It will always be in the back of my mind," she said. "I
worry that some day down the road someone will take out a
mortgage using my information."
Phishing got its name a decade ago when America Online charged
users by the hour. Teenagers sent e-mails and instant
messages pretending to be AOL customer service agents in
order to fish--or phish--for account IDs and passwords they
could use to stay online at someone else's expense.
After AOL moved to a flat monthly price, the same phishing
methods were used to steal credit card information.
These days, the rise of phishing piggybacks on the same factors
driving all sorts of spam.
"It doesn't cost any money to go out and copy someone else's Web
page to make it look real," said John Curran, a supervisory
special agent for the FBI. "And it doesn't cost any
money to spam the e-mail out to 1 million people."
Social engineering involved
essence of phishing is what is known as social engineering.
The phishers' goal is to persuade a recipient that they have
received a legitimate message, which must be replied to
As for motivation, phishers sometimes appeal to greed by sending an
e-mail message that promises the recipient a prize, asking
for a credit card number only to bill for shipping.
More often, they rely on fear.
"The initial hook is something alarming," Curran of the FBI said.
"They tell you they will shut down your account or you have
been charged for child pornography. Once they get you
in a state where you are agitated or excited, they can
elicit an emotional response."
The open technology behind both e-mail and Web browsing makes it
easy to make convincing fakes, and make it difficult for
recipients to verify who is behind them. Even people
with only modest technical skills can take graphic elements
from legitimate Web site and make a credible copy.
(Many phishing attempts last year were riddled with
typographical errors and awkward language, but now it
appears that most phishers have brushed up on their English
or hired proof readers.)
Phishers often create Internet addresses that closely resemble
legitimate ones. For example, phishers have used
domains that included "yahoo-billing.com" and "eBay-secure.com".
How is the average user to know those are not real, but "billing.yahoo.com"
In response, Microsoft has modified Internet Explorer, by far the
most popular browser, to make it harder to fool users and
has more changes planned for its next update this summer.
A few Internet companies are going further. EBay and
EarthLink have both developed toolbars that can be added to
Internet Explorer to warn users if they are looking at known
Howard Schmidt, a vice president of security at EBay, said these
approaches and EBay's frequent warnings to its customers and
those of PayPal have their limits.
Law must step in
"Technology can solve 60 percent of the problem," he said.
"Education and awareness can solve 20 percent, and no matter
how good the industry is , there will be people who fall
victims, so 20 percent will have to be handled by law
Even the small-time phishers who have been caught show how easy it
is to use easily accessible high-tech tools to fool people.
In February, Alec Scott Papierniak, a 20-year-old college
student in Mankato, Minn., pleaded guilty to wire fraud.
He had sent people e-mail messages, with a small program
attached, that purported to be a security update from
PayPal. The program secretly monitored the users'
activities and reported their PayPal user names and
passwords to Papierniak.
Prosecutors say that at least 150 people installed the software,
allowing Papierniak to steal $35,000.
While most of people prosecuted so far for phishing have been in
the United States, EBay, working with the Secret Service,
has investigated a series of scams emanating from Romania.
More than 100 people have been arrested by Romanian authorities.
One of those was Dan Marius Stefan, who was convicted of
stealing nearly $500,000 through phishing and is now serving
30 months in a Romanian jail.
Stefan sent e-mails that appeared to come from EBay to people who
lost auctions, advising them of similar merchandise for sale
at even better prices. To purchase the goods, the
victims had to provide bank account numbers and passwords,
then wire money to a fraudulent escrow site that Stefan had
The financial losses of most phishing victims, particularly those
subject to credit card fraud, often end up being absorbed by
banks and their insurance companies.
But the costs are real anyway. "We get 20,000 phone calls
every time one of those goes out, and it costs us 100
grand," said Garry Betty, EarthLink's chief executive.
"I got so mad one month when we had eight attacks," he added,
explaining that he is pressing his legal department to find
somebody important to make an example of. "We haven't
found one yet, but before 2004 is over, I'm going to get
*San Francisco Chronicle, TECHNOLOGY
AND BUSINESS, Section D...Monday, March 29, 2004.
CONTACT US: Ken Howe, BUSINESS EDITOR,