New laws yet to slow down ‘phishing’


Staff Writer

It’s been six months since Gov. Schwarzenegger signed the state’s anti-phishing law, but it doesn’t seem to be working.

Oliver Friedrichs, director of emerging technologies for Symantec Security Response, reports he currently tracks 7.9 million phishing emails a day, an increase of 39 percent from 2005. Symantec Security is a unit of Symantec Corp. (SYMC), seller of the popular Norton security software.

Phishing is a form of fictitious solicitation, typically in e-mail, with the intent of getting people to divulge sensitive information, commonly personal and financial. Most phishing e-mails are made to look like they come from an official institution, directing users to a Web site that is designed to steal user names and passwords. The term phishing was coined by crackers, people who engage in illegal system or software cracking, referring to fishing for information.

The Anti-Phishing Act allows victims to sue for the amount of damages incurred or $500,000, whichever is greater. The problem, according to Craig Cardon, a partner specializing in intellectual property and advertising with the law firm Sheppard, Mullin, Richter & Hampton LLP in San Francisco, is that phishers operate too far underground.

“It’s rare that you’ll find the person who sent you the phishing e-mail or they won’t have the money to pay damages and if they do, they’re set up offshore,” he said. “The anti-phishing law is really symbolic.”

“It’s outright theft,” Friedrichs agrees. “When you compare it to spam, spam is trying to entice you to buy a legitimate service. Phishing would be more like breaking into your house and actually stealing jewelry as opposed to knocking on your door and trying to sell you something.”

Most phishing attempts come from Asia and Eastern Europe, which makes them that much harder to prosecute. Experts worry that phishers are constantly one step ahead of the security industry. At the RSA Conference 2006, Microsoft Corp. (MSFT) Chairman Bill Gates addressed this cat-and-mouse chase: “For every improvement we make, they look for our vulnerabilities,” he said.

The two most commonly phished sites are PayPal and its parent, eBay Inc. (EBAY), the online auction house. Amanda Pires, a PayPal representative, said it’s due to the high volume of customers with financial information on their accounts.

“We have a dedicated team that focuses on this problem,” she said. “Often if the fake Web site is in the U.S., we can get it pulled down in two hours.”

Phishers, whoever they are, are culturally keen people. Experts warn of IRS scams now that taxes have been filed, and Hiep Dang, director of threat research and engineering with Aluria Software, recently discovered a scam involving the popular social Web site, MySpace.

“It sends users to a fake MySpace account and they take their password, hoping that most people use the same username and password for other accounts and try them to get information about banking, credit cards, etc.,” Dang explained.

It is suggested users create various usernames for various accounts and change passwords frequently. It may be arduous to remember so much information but it is more arduous to regain your financial identity if you fall victim to these scams.

Henry Isaacs, an agent with Geek Squad, a computer support company, had a customer in Pacific Heights who had a keystroke-logging system unknowingly installed onto her computer. The system recorded all of her keystrokes and sent them to phishers, who were able to ascertain her username and password to an ING Direct bank account.

“She called ING and someone had closed her accounts,” Isaacs said. “She had almost $2 million in investments in there but luckily ING holds payments for a week or two and they stopped the check.”

Isaacs said users should never follow a link from an e-mail and pretty much never expect to receive an e-mail asking for information from any credible institution.

Just as with online pornography, there are organizations such asthe Anti Phishing Working Group that work to prevent, find and prosecute phishing. One popular technique is creating a “honeypot.”

“A honeypot is when you set up a site that you hope phishers come to and you collect information about who they are to shut them down,” explained Marc Barach with Ingenio, San Francisco, which links Internet customers with businesses via telephone. “Some people also call that a sting.”