Since the popularization of e-mail in the 1990s, data thieves have been using the technology to pursue the gullible and the stupid. One of their most successful strategies is a fraudulent impersonation technique called "phishing" -- the term first appeared in 1996, a variant of "fishing" that refers to illegal "phone phreaks" of a generation ago.
When it works, phishing tricks people into surrendering confidential information. The operation is cheap and nearly effortless. Phishers acquire a list of several million names and send the same e-mail to all of them, correctly anticipating that a few will bite. But lately the Internet underworld has grown more sophisticated. Ambitious phishers are now hunting big game, like major corporations, and they think they know how to bag them.
Over several years, most of us have received messages claiming to be written by people who offer to pay us large sums of money for our routine help with a bank withdrawal. "I am a Liberian and was the personal aide to our former president, Mr. Charles Taylor." "I am Mr. Andrew Wolley, a member of The U.S. Agency for International Development." "I am Mr. Ching Wong, credit officer of Green Trust Bank here in Hong Kong."
Usually, these scam e-mails inform us that some corrupt despot has stored millions of dollars in a bank but can't get at it, perhaps because he's dead. By complying with a few formalities, we can pick up the cash and take a fifth or a quarter of it for our trouble. Meanwhile, they want our bank account, credit card and maybe passport numbers. Just routine.
Like old-time con men, the common phisher appeals to the sliver of criminality lurking in every soul. Mr. Larry Williams, personal attorney to Mr. Chang P. Lee, a businessman in London, e-mails me to say that Mr. Lee and his family died three years ago in a car accident, leaving US$6.5-million with Credit Suisse First Boston. Mr. Williams claims to "have made several restless attempts" to locate relatives of the deceased, to no avail. The bank threatens to confiscate the money unless a relative turns up within 14 working days. If I claim to be next of kin, I can keep 30% of the loot. Meanwhile, would I please send Mr. Williams my bank numbers …
Through this system, the worldwide army of phishers (phishermen? phisherfolk?) pulls in confidential numbers that they can sell to criminals who use them in identity-theft scams. But the racket has grown so popular that new phishers are driving down the profits. Today, credit-card numbers sell for as little as 40¢ apiece, and even a person's bank-account data may go for just $10.
Stephen Trilling, vice-president of Symantec Security, wrote recently that "a robust, large and financially strong underground economy has grown up to buy, sell and trade in stolen IDs and information." But good marketing practice means the product needs to improve. Phishers have responded. Many have stopped claiming to be the former personal assistants of dictators. Instead they impersonate banks, government departments, universities and hospitals. As Trilling put it: "Avoiding the dark alleys of the Internet was sufficient in years past." Not any more. Just as in legitimate business, competition demands that phishers become more imaginative, dangerous and potentially effective.
Mr. Ching Wong in Hong Kong still wants to make us rich, but he's been joined by more ingenious grifters who target specific people and institutions, a form of customized criminality called "spear phishing."
I caught a glimpse of spear phishing when the Internal Revenue Service e-mailed me the pleasant news that I had a refund coming, $134.80, a figure big enough to claim but not big enough to raise alarms. The IRS said it would send the money to my credit or debit card as soon as I provided the numbers. The IRS naturally wanted to guard against identity theft, so it cautioned me to close my browser after finishing, "for security reasons."
As it happens, I don't pay tax in the U. S. and therefore wasn't entitled to a refund. I didn't respond. Had I clicked on the designated line, I would have been taken to a bogus Web site, typographically just like the IRS site, where I could fill in a form with more personal data.
Around the same time, a couple of months ago, I was introduced to more serious spear-phishers. The TD Canada Trust green logo appeared on my screen, looking totally authentic. The message told me that to keep my account alive I had to fill in, right away, my bank card PIN and other data, for checking purposes. Instead I phoned the bank, where someone told me the institution would never, ever ask for information by e-mail.
This con relies on fear instead of greed. Phishers also use terror. Thousands of senior corporate executives in the United States recently received e-mail messages that looked like subpoenas from the U. S. District Court in San Diego. These spears were hurled with more precision, each to a specific executive by name, commanding him or her to appear before a grand jury in a civil case. To read the entire subpoena, the executive had to click on a certain line. But doing so would admit "Trojan-horse" software that would capture his password and disclose both personal and corporate information.
At that point, phishing becomes industrial espionage. Sold to a competitor, the data could bring a handsome price. Security people call this electronic terrorism "whaling."
While some digital crooks reach for the stars, multitudes of them continue to troll for more modest returns. I was recently skimmed as well as phished. At my bank, the ATM, instead of spitting out the $100 I asked for, replied that I had already used most of my daily limit. It turned out that some stranger, somewhere, had made six withdrawals earlier in the day, all of them in non-Canadian currency.
How did it happen? A helpful bank employee (who covered the losses while issuing a new card with a new PIN) explained that this was "skimming." An ATM somewhere had recorded the data on my magnetic card while photographing my fingers as I entered my PIN.
But, I pointed out, my only ATM withdrawals in the previous four months had been from the bank itself. The woman explained further that the crooks keep the information for months before using it. If I withdrew from one corrupted local store's ATM, and the theft was discovered three days later, I'd be able to say precisely where it happened -- and maybe the police could find the hidden skimmer who stole my data. Hearing this, I remembered getting £100 from an ATM last October in Leeds, Yorkshire. I can't remember the store's name or precise location.
Recently, spear phishers have targeted universities. They have attacked some 90 university systems, including the University of Toronto's. Two weeks ago, they sent carefully targeted e-mails to many of the 100,000 or so people served by the UTORmail system. The e-mails claimed to be sent from within the university's own system, as part of a checking process. Apparently, one recipient, working in a university hospital, fell for it and gave up a password.
One is plenty. When I interviewed Alex Nishri, the university's supervisor of network services, he stated the problem: "All it takes is one person to reply and I'm doomed."
Once admitted, the cyber-crooks could sell the password to anyone wanting cheap use of university services or access to university secrets. And right away the phishers sent some three million spam messages around the world, using U of T as a base, employing the university's code to elude spam-detecting systems. They poured out the spam from Toronto with such speed that other systems caught on and began blocking anything from U of T. Since there's no supreme court in cyberspace to which you can appeal, U of T, after fixing the problem, had to get in touch with all the systems that had blocked its messages, explaining that the crisis was over.
Nishri has grown philosophical about phishing. He regards phishers as criminals, and he's resigned to spending much of his career in cyber-enforcement, countering their cleverness with his.
There was always a romantic element in the old-time con man. He needed raffish charm and a natural storyteller's skill. But online crooks have no comparable appeal; a certain creepiness accompanies their schemes.
I find it uncomfortable to think that this wonderful machine on my desk, which has done so much for me over 15 years, has become a window that will admit burglars if I'm not careful. Most of us, pre-Internet, seldom met a con man except in movies. Now, some of us hear from a con artist several times a day.
Inevitably, that changes us. It makes us more suspicious, and makes a cheerful view of humanity even harder to sustain than in the past. Worse, we know there are people who express their free-floating malice by sending out viruses just for fun.
We have to understand that gullibility is the best friend of the phishers, automatic skepticism their enemy. As Nishri wrote to departments across the University of Toronto last week, "NEVER reply to any e-mail message with your password! Even if the request comes from a trustworthy source. Even if the request comes from me :-)."