NY Times Looks at Online Swindlers (Phishers)

[DudeAsInCool]

Online Swindlers, Called 'Phishers,' Are Luring Unwary

By SAUL HANSELL

March 24, 2004

Last year, EarthLink, the big Internet access provider, went hunting for phishers.

It started a campaign to track down people who were sending e-mail messages that pretended to be from EarthLink but were actually fraudulent attempts to steal customers' passwords, credit card numbers and other information. What it found was that of the dozen or so people it could clearly identify as engaged in the practice known as phishing, more than half were under 18.

In its latest effort, EarthLink discovered a lot of phishing e-mail messages coming from computers in Russia, other East European countries and Asia. The e-mail messages, and the Web sites they directed people to, were becoming much more technically sophisticated.

"A year ago, there were some phishers out there, and it was mostly teenagers and other people fooling around," said Les Seagraves, EarthLink's chief privacy officer. "Now I think we are moving to more criminal enterprise."

Phishing attacks are growing rapidly, impersonating Internet service providers, online merchants and banks. Government officials and private investigators say all signs point to gangs of organized criminals — most likely in Eastern Europe — as being behind many of the latest efforts.

"Like any other black market, there is a stratification in phishing," said Kevin E. Leininger, president of ICG of Princeton, N.J., an investigative firm that has been hired by banks to find those behind the attacks. "There are people who are rank amateurs. And there are identity-theft rings."

So far, the offenders have largely evaded the searches to find them. One reason is that they often use computer worms, spread from machine to machine, to send the fraudulent e-mail — a technique that makes it almost impossible to trace the source.

Like EarthLink's investigators, government authorities have managed to track down a few individuals operating less sophisticated ruses. The F.B.I. traced one crop of mass e-mail messages pretending to be from the "AOL Billing Center" to Helen Carr, 55, who ran the scheme from her home in Akron, Ohio. (Ms. Carr pleaded guilty and was sentenced in January to 46 months in prison.)

But federal investigators write off people like Ms. Carr as small-time operators. "The kids in school and the old lady in her basement make great copy," said Bruce A. Townsend, deputy assistant director in the office of investigations at the Secret Service, which investigates cases of credit card fraud. "But this has transformed into something done by organized criminal groups."

In February, 282 cases of phishing e-mail messages were reported to the Anti-Phishing Working Group, a coalition of technology companies, financial institutions and law enforcement agencies. That was up from 176 attacks in January and 116 in December. Brightmail of San Francisco, which filters e-mail for spam, identified 2.3 billion phishing messages in February, 4 percent of the e-mail it processed, compared with only 1 percent of its messages as recently as September.

"Identity theft is the single greatest type of consumer fraud," said Christopher A. Wray, an assistant attorney general in charge of the criminal division of the Justice Department, "and phishing is the identity theft du jour."

At this point, there are few sure ways for an Internet user to tell if an e-mail message is legitimate. So experts advise people to be extremely wary of providing any confidential information in response to e-mail.

"The crooks are getting slicker, and the bogus Web sites and e-mails are dangerously legitimate looking," Mr. Wray said.

No one knows how much money has been stolen through phishing schemes. Banks say it still seems relatively small compared with other forms of fraud and theft, like using stolen credit or debit cards.

One reason it is not easy to figure out how much money has been lost is because many victims do not realize it when they have been fleeced. Even those who find an unauthorized charge on their credit card bills and bring this to the attention of the issuers do not necessarily know that the charge was caused by their response to a false e-mail message.

You can read the full story here:

http://www.nytimes.com/2004/03/24/technology/24PHIS.html?hp

[Kooperman]

I regularly get these theft attempts from people claiming to be either Ebay or PayPal sites.