--Fraudulent e-mail scams show more sophistication.*
by Saul Hansell,  New York Times

   Last year, EarthLink, the big Internet access provider, went hunting for phishers.

   It started a campaign to track down people who were sending e-mail messages that pretended to be from EarthLink, but were actually fraudulent attempts to steal customers' passwords, credit card  numbers and other personal information.  What it found was that of the dozen or so people it could clearly identify as engaged in the practice know as phishing, more than half were under 18.
   In its latest sweep, EarthLink discovered a lot of phishing e-mail messages coming from computers in Russia, other East European countries and Asia.  The e-mail messages and the Web sites they directed people to were becoming much more technically sophisticated.
   "A year ago, there were some phishers out there, and it was mostly teenagers and other people fooling around," said Les Seagraves, EarthLink's chief privacy officer.  "Now I think we are moving to more criminal enterprise."
   Phishing attacks are growing rapidly,  impersonating Internet service providers, online merchants and banks.  Government officials and private investigators say that all signs point to gangs of organized criminals--most likely in Eastern Europe--as being behind many of the latest efforts.
   "Like any other black market, there is a stratification in phishing," said Kevin Leininger, president of ICG, an investigative firm that has been hired by banks to find the people behind the attacks.  "There are people who are rank amateurs, and there are identity-theft rings."
   So far, the offenders have largely evaded the searches.  One reason is that they often use computer worms, spread from machine to machine, to send the fraudulent e-mail messages--a technique that makes it almost impossible to trace the source.
   Government authorities, like EarthLink's investigators, have managed to track down a few individuals operating less-sophisticated scams.  The FBI traced one crop of mass e-mail messages purporting to be from the "AOL Billing Center" to Helen Carr, 55, who operated the scheme from her home in Akron, Ohio.  (Carr pleaded guilty and was sentenced in January to 46 months in prison.)
   But federal investigators write off people like Carr as small phish, not the king phishers.
   "The kids in school and the old lady in her basement make great copy," said Bruce Townsend, deputy assistant director of the office of investigations at the Secret Service, which investigates cases of credit card fraud.  "But this has transformed into something done by organized criminal groups."
   In February, 282 separate cases of phishing e-mails were reported to the Anti-Phishing Working Group, a coalition of technology companies, financial institutions and law enforcement agencies.  That's up from 176 attacks in January and 116 in December.
   Brightmail, which filters e-mail for spam, identified 2.3 billion phishing messages in February, 4 percent of the e-mail it processed.  As recently as September, only 1 percent of its messages were such deceptions.
   "Identity theft is the single greatest type of consumer fraud," said Christopher Wray, an assistant attorney general at the Justice Department, "and phishing is the identity theft du jour."
   There are very few sure-fire ways for an Internet user to tell whether an e-mail is legitimate.  So experts advise people to be extremely wary of providing any sensitive information in response to an e-mail message.
   "The crooks are getting slicker, and the bogus Web sites and e-mails are dangerously legitimate looking," Wray said.
   No one knows how much money has actually been stolen through phishing schemes.  Banks say it still appears to be relatively small compared with other forms of fraud and theft, like using a stolen credit or debit card.

Unknowing victims

   One reason it is not easy to figure out how much money has been lost to phishers is that many victims do not realize they have been fleeced.  Even those who find an unauthorized charge on their credit card bills and bring it to the attention of the issuer do not necessarily know that the charge was caused by their response to a fake e-mail.
   "People think they are giving their credit card numbers to AOL because there is a problem in their account," said Eric Wenger, an attorney for the Federal Trade Commission, which has brought civil action against several phishers.  "If they find out four weeks later there are unauthorized charges on the credit card, it never occurs to them to connect the two events."
   Lisa Cook, a Kraft Foods sales representative who lives in Brookline, N.H., was one of the lucky ones who discovered she had been subject to phishing before she was seriously harmed.  Cook responded on morning, before her first cup of coffee, to a message in her e-mail inbox seemingly from PayPal, the electronic payment service of EBay.  It said she needed to update her account, so Cook dutifully provided her credit card and Social Security numbers, mother's maiden name and other identifying information.
   Fortuitously, she spotted a warning later the same day about Internet scams.  Cook placed a panicked call to PayPal, which confirmed her fear that she had been phished.
   Cook managed to cancel all her credit cards and change passwords before she lost any money.  But the incident still haunts her.
   "It will always be in the back of my mind," she said.  "I worry that some day down the road someone will take out a mortgage using my information."

   Phishing got its name a decade ago when America Online charged users by the hour.  Teenagers sent e-mails and instant messages pretending to be AOL customer service agents in order to fish--or phish--for account IDs and passwords they could use to stay online at someone else's expense.  After AOL moved to a flat monthly price, the same phishing methods were used to steal credit card information.
   These days, the rise of phishing piggybacks on the same factors driving all sorts of spam.
   "It doesn't cost any money to go out and copy someone else's Web page to make it look real," said John Curran, a supervisory special agent for the FBI.  "And it doesn't cost any money to spam the e-mail out to 1 million people."

Social engineering involved

   The essence of phishing is what is known as social engineering.  The phishers' goal is to persuade a recipient that they have received a legitimate message, which must be replied to immediately.
   As for motivation, phishers sometimes appeal to greed by sending an e-mail message that promises the recipient a prize, asking for a credit card number only to bill for shipping.  More often, they rely on fear.
   "The initial hook is something alarming," Curran of the FBI said.  "They tell you they will shut down your account or you have been charged for child pornography.  Once they get you in a state where you are agitated or excited, they can elicit an emotional response."
   The open technology behind both e-mail and Web browsing makes it easy to make convincing fakes, and make it difficult for recipients to verify who is behind them.  Even people with only modest technical skills can take graphic elements from  legitimate Web site and make a credible copy.  (Many phishing attempts last year were riddled with typographical errors and awkward language, but now it appears that most phishers have brushed up on their English or hired proof readers.)
   Phishers often create Internet addresses that closely resemble legitimate ones.  For example, phishers have used domains that included "yahoo-billing.com" and "eBay-secure.com".  How is the average user to know those are not real, but "billing.yahoo.com" is?
   In response, Microsoft has modified Internet Explorer, by far the most popular browser, to make it harder to fool users and has more changes planned for its next update this summer.
   A few Internet companies are going further.  EBay and EarthLink have both developed toolbars that can be added to Internet Explorer to warn users if they are looking at known fraudulent sites.
   Howard Schmidt, a vice president of security at EBay, said these approaches and EBay's frequent warnings to its customers and those of PayPal have their limits.

Law must step in

   "Technology can solve 60 percent of the problem," he said.  "Education and awareness can solve 20 percent, and no matter how good the industry is , there will be people who fall victims, so 20 percent will have to be handled by law enforcement."
   Even the small-time phishers who have been caught show how easy it is to use easily accessible high-tech tools to fool people.  In February, Alec Scott Papierniak, a 20-year-old college student in Mankato, Minn., pleaded guilty to wire fraud.  He had sent people e-mail messages, with a small program attached, that purported to be a security update from PayPal.  The program secretly monitored the users' activities and reported their PayPal user names and passwords to Papierniak.
   Prosecutors say that at least 150 people installed the software, allowing Papierniak to steal $35,000.
   While most of people prosecuted so far for phishing have been in the United States, EBay, working with the Secret Service, has investigated a series of scams emanating from Romania.
   More than 100 people have been arrested by Romanian authorities.  One of those was Dan Marius Stefan, who was convicted of stealing nearly $500,000 through phishing and is now serving 30 months in a Romanian jail.
   Stefan sent e-mails that appeared to come from EBay to people who lost auctions, advising them of similar merchandise for sale at even better prices.  To purchase the goods, the victims had to provide bank account numbers and passwords, then wire money to a fraudulent escrow site that Stefan had set up.
   The financial losses of most phishing victims, particularly those subject to credit card fraud, often end up being absorbed by banks and their insurance companies.
   But the costs are real anyway.  "We get 20,000 phone calls every time one of those goes out, and it costs us 100 grand," said Garry Betty, EarthLink's chief executive.
   "I got so mad one month when we had eight attacks," he added, explaining that he is pressing his legal department to find somebody important to make an example of.  "We haven't found one yet, but before 2004 is over, I'm going to get one."