Best news in the war on spam: phishing
The Internet continues to serve up a steady diet of rancid fare -- first spam, and now phish.
You've heard of phishing by now; indeed, most active e-mailers have already received a few dozen helpings of the stuff. Phishing is the up-and-coming Internet ripoff technique that takes spamming one nasty step further.
The phishers are scam artists who have designed e-mail messages that seem to come from legitimate businesses -- banks, credit card companies, online retailers. Anybody with some skill in Web page design can whip up an e-mail that looks like it really was sent from eBay or Citibank. And if they also know about e-mail ''spoofing," they can add a phony but legitimate-looking return address.
The message will generally contain a warning. Your account is overdrawn or may have been accessed by thieves. To be on the safe side, the company has deactivated the account. To get it started again, click on the Web link and fill out the very legitimate-looking form that appears on your screen. You're asked for information that proves who you are -- not just your account number, but also your Social Security number or driver's license number; and perhaps numbers from other bank accounts and credit cards.
Of course, all of this data is relayed to crooks who will use it to empty out your savings or create false identity documents. It's a clever trick that often snookers people who are too smart to fall for other forms of spam. Indeed, the Anti-Phishing Working Group, a consortium of businesses and law enforcement agencies, estimates that this gimmick works on about 5 percent of those who get the e-mails. That's far better than the success rate for traditional spamming. Besides, regular spammers just sell a bottle of phony weight-loss pills for $50; phishermen can steal every cent you own.
No wonder phishing is the next big thing in Internet crime. The APWG will release a report today that says the numbers of recorded phishing attacks rose 180 percent between March and April. Each attack represents a stream of thousands or millions of phony messages, each seeking sensitive financial data. In April, APWG counted over 37 million such outbreaks daily. All the crooks need is a few dozen suckers a day, and they could rake in millions.
All in all, it's the best news yet in the war on Internet junk mail.
Yes, you heard right: It's good news. Here's why.
First, why do you think the phishing rate has suddenly soared? It's probably because today's spam-filtering systems have begun to bite. The filters are getting so good that spammers are getting fewer customer for every million messages sent. The business doesn't pay the way it used to. So they're desperate to find a new moneymaking gimmick.
Phishing's a clever choice, too. Not only does it pay better, and is more likely to fool sensible people, it's also harder to filter the messages. Yes, spam filters nail a lot of phish mail too, but because it lacks many of the obvious buzzwords like ''Viagra" or ''enlargement," a lot of the stuff gets through. It's nearly impossible to come up with a filtering mechanism that can distinguish between a phish message from eBay and a legitimate one.
Which means that software defenses against phishing are fairly crude. CoreStreet Ltd., an e-mail security firm in Cambridge, has cobbled together a free product called SpoofStick that does provide some protection. Click on a Web link inside a phish e-mail, and you may be taken to a phony eBay site. But even if it looks real, the browser ''knows" it's not really at eBay.com, but at some other e-mail address. SpoofStick adds a toolbar to an Internet Explorer browser, revealing the Web page's real domain name and displaying it in large green letters. If you're supposed to be at eBay.com, but SpoofStick displays, say, crooks-r-us.com, then you've been warned.
''It improves your situational awareness while browsing the Web," said CoreStreet president Phil Libin, but he adds: ''There's no magic here." SpoofStick doesn't provide automatic protection; users must still use good judgment, and flee from websites that don't look right. SpoofStick merely makes it easy to spot them. So do offerings from a few Internet companies like eBay and the Internet service provider EarthLink. These firms have been so frequently victimized by phishers that they offer free software that identify whether a website is really theirs.
For now, the best defense is common sense. If you get an e-mail warning you that your bank account or credit card has been compromised, phone the company and ask. If it's a scam, let the company know it's being phished: It will contact the right authorities. Or you could go to the Federal Trade Commission website at www.ftc.gov and file a complaint.
But how is this good news in the fight against spam? It's obvious, really. The old-style spammers only made life difficult for Internet users and service providers. The phishermen are messing with the real big boys -- the nation's banks and credit card companies. Phishing could cost them billions, and scare consumers away from Internet commerce altogether. ''The banks and the big e-commerce companies are desperate for a solution," said Dave Jevans, chairman of APWG. And desperation backed by money is a powerful thing.
The ultimate solution is known to all. What's needed is a revision of basic e-mail protocols to make it impossible to fake the source of a message. Trouble is, nobody has decided among three possible techniques. Microsoft Corp. has one plan, Yahoo Inc. has another, and the Internet Engineering Task Force has a third.
Still, some very rich, powerful people want action, and soon. A standard will probably be settled upon within a year or so. It may take another year for it to be implemented. After that, the phisherfolk will be doomed. The spammers too, because most spammers also fake the sources of their messages, and the new system will make that almost impossible.
By inventing a new form of spam, more costly and dangerous than any before it, the phishers have made the effort to clean up the Net more urgent than ever. If I knew their real e-mail addresses, I'd write and thank them.
Hiawatha Bray can be reached at bray@globe.com.
