As we enter 2007, online scam phishing – in which the perpetrator creates a Web site that mimics a legitimate company’s Web site in order to trick Internet users into handing over their personal and financial information – has become a household term, as much a part of the online lexicon as “e-mail” and “downloading.” Because phishers rely in large part on catching their victims unaware, the rapid growth in awareness of phishing has been invaluable in eroding the effectiveness of traditional phishing scams. But phishers have not been sitting on their hands, and the level of user exposure to phishing scams remains alarmingly high. With each passing month, the number of phishing scams launched against Internet users increases. Furthermore, phishers are increasingly diversifying their tactics in ways that could allow them to target new and unexpected brands. This article is intended to alert corporate lawyers to recent trends in phishing, with particular emphasis on the level of user exposure in the
1. Phishing Attacks Increase as User Preparedness Lags
Despite increased awareness, the number of phishing attacks launched against Internet users continues to increase. The Anti-Phishing Working Group (www.apwg.org), a joint industry/law enforcement task force that catalogues reports of phishing attacks worldwide, recorded more than 26,000 reports of new phishing scams in August 2006.[1] That was the second highest monthly tally the APWG has ever recorded (the highest was more than 28,000 in June). The Group also identified more than 10,000 unique phishing pages in August. That figure was down somewhat from July, when the Group identified more than 14,000 unique sites, but was almost twice the number of sites it recorded in August 2005.
In the
At the same time, user awareness and self-protection in the
2. Phishing Techniques Target New Brands
Not only is the number of phishing attacks increasing, phishers are also deviating from the traditional phishing model in order to catch new, unsuspecting victims. Three such deviations bear particular mention.
Innocuous Password Phishing: Password phishing scams have traditionally been directed at financial institutions, Web-based e-mail providers, and other Web sites that store users’ sensitive personal information. As users become more wary of phishing scams targeting these sites, phishers may be targeting new sites that do not store personal information, on the theory that users will be more susceptible to scams targeting “innocuous” sites. This new model of password phishing seeks to exploit the fact that users tend to re-use login credentials on multiple Web sites. The government’s Get Safe Online project (www.getsafeonline.org) recently published the results of a survey in which 51% of respondents acknowledged using the same password on multiple Web sites.[4] If a phisher can steal a person’s login credentials for an “innocuous” site, it is not difficult for the phisher to blast that information across the Internet looking for other, more sensitive sites on which the person has used the same login credentials. If phishers adopt the “innocuous” password phishing strategy en masse, any site that asks its users to choose a username and password could become a potential phishing target.
One high-profile example of password phishers targeting an unexpected brand is the recent spate of attacks targeting the social networking site MySpace.com.[5] If the people whose MySpace.com login credentials the phishers stole also use their MySpace.com user names and passwords on other sites (such as a Web-based e-mail account), the phishers need only send automated queries to Web-based e-mail sites until they hit on one that accepts the credentials. While this method may be less direct than simply targeting the e-mail site, the increased number of victims who fell for the scam because they did not expect to be phished on MySpace.com could make the extra step worthwhile for the phishers.
This new breed of password phishers could also use targeted, non-spam methods of driving traffic to their sites. For example, phishers could post links to their sites on forums or discussion groups hosted on the target Web site. The MySpace.com phishers used this strategy to great effect by posting links within MySpace.com that led to a phishing page that told users they were required to sign back in to MySpace.com in order to view the link. The same strategy could be used against countless other Web sites. Password phishers could also make expanded use of “pharming,” a technique in which the phisher hacks into a DNS server, which directs traffic on the Internet by matching domain names with their corresponding IP addresses, and reprograms the server to send traffic bound for a particular Web site to the phishing page instead.
Crimeware: Since January 2006, the Anti-Phishing Working Group has noted a significant increase in the number of phishing sites making use of “crimeware” – malicious software code that installs itself on a user’s computer.[6] Among the myriad forms of crimeware that are available online are: keyloggers and screenloggers (which track a user’s keystrokes or screen shots and transmit them back to the phisher); browser redirectors (which wait for a user to try to browse to a particular site, and then send the browser to a phishing page that mimics that site); e-mail redirectors (which intercept and relay outgoing e-mail to the phisher); and Web trojans (which overlay and mimic login screens on legitimate Web sites so that users type their login credentials into the trojan rather than the legitimate site). All of these applications (and more) can hide within the code of a Web page and can install themselves on an unprotected or under-protected user’s computer.
Crimeware sites can be constructed so that the malicious application installs itself on the victim’s computer as soon as the victim lands on the site. Thus, there is no need for the perpetrator to mimic a traditional phishing target and trick the victim into volunteering information. The flexibility of this tactic allows the phisher to target any brand that seems likely to attract users to the site. Although the MySpace.com phishing attacks that have occurred to date do not appear to have been crimeware-based, they could easily be modified to that end. Other crimeware-based models targeting non-traditional brands are easy to imagine. For example, the phisher could upload a crimeware site to a domain name that contains a misspelling of a famous brand (eg www.tessco.com). The phisher could also use a phishing-style e-mail advertising a sale at a famous retailer with a link to view the sale information on the fraudulent crimeware site, or a “breaking news” update from a major news outlet with a link to a crimeware site that mimics the outlet’s Web site. The number of exploitable brands in crimeware phishing is only as limited as the scammer’s imagination.
Spear Phishing: “Spear phishing” refers to a highly focused phishing scam that targets a limited number of people, such as the employees of a company. There has been a great deal of discussion about spear phishing over the past year, though recent statistics on the current prevalence of the scam are difficult to come by.
Spear phishers pose as trusted individuals within an organization, such as the head of the Information Technologies department, the CEO or some other corporate officer, or as a trusted third party service provider. They drive traffic to their phishing sites using very specific e-mail messages that a user would find consistent with a genuine message from the purported sender (whose corporate e-mail address almost always appears in the header of the phishing e-mail). Spear phishers may use fraudulent intranet pages to steal login credentials for a company’s internal network. They may also (depending on the strength of the company’s firewall and e-mail filters) send e-mails laced with crimeware intended to compromise the company’s network. A spear phisher who gains unauthorized access to a company’s network can steal all manner of information, including trade secrets, financial data, marketing and product development documents and other proprietary information.
Because spear phishers are interested in corporate data, rather than individual users’ personal information, they will exploit the brand of the target company, regardless of whether that company is a traditional phishing target. The potential damage of spear phishing cannot be overstated. A spear phisher who steals a company’s customer lists, marketing plans, financial data or other trade secrets can sell that data to the highest bidder, or publish it online, destroying its value and giving the company’s competitors a tremendous competitive advantage.
3. Combating Phishers
The techniques discussed above are only some of the methods phishers are using to expand their reach. As they develop new and more sinister methods of victimizing Internet users, all companies with an Internet presence will need to be prepared to deal with a phishing attack, and to do so quickly. A company that fails to address phishing scams that target its brand does so at its own commercial and legal peril. The Get Safe Online survey noted above also indicated that just over 75% of UK Internet users still believe that third parties should be responsible for ensuring their online safety.[7] In light of that consumer expectation, the effect of media reports such as a recent BBC article that led with the line “Three UK banks are failing to prevent the possible theft of online customers’ identity, an online security company has warned” could be commercially devastating.[8] Furthermore, a company that is perceived to have been inattentive in protecting its brand from infringement by phishers may have future difficulty enforcing its rights in its brand.
As with all brand-protection issues, corporate lawyers and their advisers have a range of options for identifying phishing scams. At the least expensive end of the spectrum is the purely reactive approach of inviting users to report phishing attacks as they encounter them. A more proactive approach involves the retention of a third-party service provider that can periodically scour the Internet searching for occurrences of the company’s trade marks. Companies that provide this type of service tend to offer varying levels of service to accommodate concerns about budget and available resources.
When a phishing site is identified, there are several options. At a minimum, in-house lawyers should take whatever steps are necessary to ensure that the site is removed. This can usually be achieved by sending a takedown request to the company hosting the phishing site. In some cases, such as a phisher who repeatedly targets a company’s brands or one who launches a particularly insidious or successful attack, lawyers may wish to pursue civil litigation against the phisher or refer the matter to law enforcement.[9]
Companies considering a litigation-based approach to phishing must carefully consider their claims and their litigation strategy. Many jurisdictions do not yet have laws explicitly outlawing phishing. However, in most cases a plaintiff can use existing laws, such as those dealing with trade marks, fraud, and consumer protection, to maintain a civil suit against a phisher. There is also the question of jurisdiction. Most phishers operate from outside the
Of course, litigation can succeed only if the phisher is identified. Although it can be difficult to locate and identify phishers, the chances of doing so are often not as miniscule as one might think. Even the best phishers leave footprints behind. A small but growing number of law firms, often partnered with technology consultancies, have developed cost-efficient methods to locate and identify phishers using code analysis, online sleuthing, subpoenas to third parties, and traditional investigative tools such as ruse phone calls and stakeouts. These methods can be very powerful in jurisdictions such as the
As Internet users and companies develop methods to defend against phishing scams, the phishers will continue to change their methods in the hopes of snaring more victims. All indications are that the number of phishing attacks will continue to increase, even as the types of attacks become more diverse. Trends in recent phishing attacks suggest that phishers are adapting their scams to target new brands whose owners and customers will not expect to be phishing targets. That adaptation, combined with the increasing sophistication of attacks using crimeware and spear phishing tactics, makes it vital that all companies with an Internet presence be prepared to deal with a phishing attack. In preparing to confront phishers, counsel has access to a number of tools and a variety of approaches. It will never be possible to guarantee that a brand will not be exploited by phishers but, with some thoughtful planning now, companies can avoid being caught off-guard by a potentially disastrous attack in the future.
Christopher Varas is an IP and technology attorney from the
[1] August 2006 was the last month for which the Group had published data as of the time of writing. The most recent statistics are available on the Group’s home page.
[2] www.Webuser.co.uk/news/98071.html?aff=rss.
[3] www.Webuser.co.uk/news/98071.html?aff=rss.
[4] www.getsafeonline.org/media/GSO_Cyber_Report_2006.pdf.
[5] www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=16306&pagtype=allchandate; www.techworld.com/security/news/index.cfm?NewsID=6139.
[6] www.antiphishing.org/reports/APWG_CrimewareReport.pdf
[7] www.getsafeonline.org/media/GSO_Cyber_Report_2006.pdf.
[8] http://news.bbc.co.uk/1/hi/business/6076248.stm.
[9] Generally, law enforcement will be hesitant to undertake a phishing investigation without some assistance from the company being targeted, but companies like Microsoft have worked effectively with law enforcement authorities around the world to bring phishers to justice.