According to the Anti-Phishing Working Group’s most recent figures, there were 1,197 new attacks reported in May, a 6 percent increase over the number of attacks reported in April. The group attributed the relatively modest increase to a drop in cyber activity over the Memorial Day holiday in the U.S. For comparison’s sake, the 1,125 attacks reported in April represented a 178 percent increase over the previous month.

The group also noted that in the seven months it has received phishing reports, the number of attack “targets” has shrunk significantly. “It’s clear,” the group observed, “that phishers have focused their efforts on Citibank, eBay, and Paypal.” Further, an analysis of the May attacks by the group found that 95 percent of them used “spoofed” (or forged) email addresses.

Laying down the law
Not surprisingly, the proliferation of these attacks has drawn the attention of lawmakers.

While the identity theft bill signed by President Bush earlier this month includes mandatory jail terms for those who use a stolen identity to commit a felony, the new law does not criminalize the act of phishing itself. U.S. Senator Patrick Leahy wants to change that. Leahy's Anti-Phishing Act of 2004, introduced this month, targets the entire scam, from sending the email to creating fraudulent sites. Each element would become a felony subject to five years in prison and a fine of up to $250,000.

“Some phishers can be prosecuted under wire fraud or identity theft statutes, but often these prosecutions take place only after someone has been defrauded,” Leahy said when he introduced the bill, according to a report on internetnews.com. "When people cannot trust that Web sites are what they appear to be, they will not use the Internet for their secure transactions. So traditional wire fraud and identity theft statutes are not sufficient to respond to phishing. [This legislation would make] it illegal to knowingly send out spoofed email that links to sham Web sites, with the intention of committing a crime. Second, it criminalizes the sham Web sites that are the true scene of the crime.”

Resolution of the issue, however, is likely to be put on hold until after Congress returns from its summer recess.

A pledge to detect scams in real time
Lawmakers aren’t the only ones taking action. Just last month, MasterCard International joined forces with a digital fraud detection specialist to launch a new anti-identity theft initiative. As part of that initiative, MasterCard is pledging “to detect online scams in real time as they proliferate across the Internet.”

“We are confronting identity theft head-on by taking the fight directly to where payment card scams breed and spread,” said Sergio Piñòn, said MasterCard’s senior vice president, Global Security & Risk Services, in a statement. “By identifying these illegal card number-swapping rings and working to close down these online 'payment card black markets,' as well as sites that are established solely to steal personal information, we can squash illegal activity before people's accounts are compromised.”

Frequently, phishing scams and other forms of fraud are perpetuated by criminals who buy and sell credit card numbers and other personal information through secret online forums.

MasterCard is pledging to continuously monitor domain names, Web pages, online discussions, spam e-mail, and other online formats to identify online trading rings, phishing attacks, and other forms of online fraud as they are launched.

For its part, MasterCard’s partner in the initiative will track phishers online and report them to law enforcement, the companies said.

The new face of cyber crime
Call it the new face of cyber crime. Where hackers once sought notoriety for defacing or crippling a popular Web site, today they are motivated by a more mundane principle: profit. And, increasingly, they’re finding the funding to carry out their scams. As Richard Clarke, the former White House chief advisor for cybersecurity, has observed apropos today’s online “bad guys”:

“At the bottom of the spectrum are those who are just showing off. All too often they turn out to be teenagers who are doing the equivalent of ‘joy riding’ in cyberspace. But the next level up are people engaged in fraud and extortion. People from all around the world are hacking into facilities in other countries, finding customer lists, and saying that they will provide those customer names and credit card names on public Web sites unless they're paid off. That's pure blackmail, pure extortion.”

And it’s all proving exceptionally lucrative. According to a recent study by researcher Gartner Inc. (“Phishing Attack Victims Likely Targets for Identity Thefts,” April, 2004), bogus attempts at getting passwords, credit card information, and other personal data cost U.S. banks and credit card issuers $1.2 billion in damages last year alone. Gartner suggests that as many as 57 million adults have experienced a phishing attack and that 1.78 million adults may have fallen victim to the scams by providing confidential personal information.

Now it appears that scammers may be pushing phishing to a new level. Rather than relying on victims’ gullibility, scammers are taking their cues from -- and even starting to cooperate with -- virus writers to exploit software vulnerabilities and plant Trojans on targeted computers.

In May, the technology newspaper eWEEK reported that an email message had begun circulating with the purpose of installing a Trojan known as Sepuc. The email had no subject line and no text in the body of the message. When the user opens the message, code hidden in the email attempts to exploit a known vulnerability in Microsoft’s Internet Explorer browser to force a download from a remote machine. This file then downloads several other pieces of code and eventually installs a Trojan capable of gathering data from the PC and sending it to a remote machine.

“The most worrisome aspect of this attack,” eWEEK concluded, “is that, unlike previous scams, victims would likely have no idea that they had done anything wrong.”

What you can do
So what can enterprise users do to avoid getting hooked by phishing scams? As a general rule, security experts agree, users should above all else be extremely careful about giving out personal financial information over the Internet. Indeed, be suspicious of any email containing an urgent request for such information. For more detailed advice, users would do well to consult these resources:

• The Anti-Phishing Working Group has compiled this list of recommendations that you can use to avoid becoming a victim of these scams.

   

• The APWG also offers this advice if you have already given out your personal financial information.

   

• The Federal Trade Commission provides this information on avoiding these scams.