D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: PHISHING

Phishing (simply pronounced “fishing”, in fine hacker tradition) is a fairly new term for a technique that is becoming increasingly common for aspiring ID criminals. The core concept of phishing is simple and effective, based on common methods of social engineering: victims are approached in a manner that superficially seems trustworthy, and are simply asked to hand over sensitive data. The etymology of the expression is immediately clear: perpetrators are metaphorically “fishing” for data the victim is willing to hand over.

As such, phishing has a longstanding offline tradition. The easiest way to gain access to confidential information is not to steal it, but to simply ask for it. With a small amount of social manipulation (e.g. presenting one’s self as part of the IT maintenance department) a surprisingly large number of victims appears to throw all caution in the wind. The reason why phishing has recently garnered so much attention is because of a new trend: combining phishing with mass e-mail sending (similar to spamming activities), and relying on the pure size of the victim base to ensure a good return on this scam.

A simple example: assuming that a scammer sends out one million e-mails per day, and has a reply rate of 1%, and only 1% of those replies yields useful information, then the result is still 100 willing victims. Merely using the information to shift €100 from their bank accounts means a daily return of €10.000. Some of these numbers may seem high at first sight, but consider that top spammers have been shown to send out up to 10 million e-mails on peak days, and claim a reply rate between 3 and 5 %, and suddenly the estimate appears a great deal more modest. It should come as no surprise that Tower Group research estimated phishing damages to amount to 120 million € in 2004, and rising rapidly. Considering the dark number problem, criminal profits in this type of crime are nothing short of staggering.

Financial institutions are obviously particularly attractive targets for this type of scam, as the requested information permits the direct transfer of funds to an account abroad. To make the scam mails particularly believable, they typically rely on emulating existing and reputable brand names to the greatest possible extent. As an example, we will take a closer look at a typical recent phishing e-mail, pretending to be originating from Citibank. It appeared as shown in figure 2.

Figure . Phishing example impersonating CitiBank.

The e-mail uses the following tricks to mask its intent: 

• Abuse of the Citibank logo and trademark to establish or promote trust. 

• Warning of dangers of identity theft, thus appearing to have good intentions. It also prompts the user to act quickly, as his account may otherwise be temporarily suspended. 

• A warning not to reply to the e-mail “as it is an unmonitored alias”; in reality the reason is of course that the sender’s e-mail address was spoofed and would result in an error, thus giving the scam away. 

• The entire text was included in a graphic file, rather than as actual text. In this way, the scam could not easily be detected by software filters that only rely on text analysis. 

• The indicated link was obviously also part of the image file; in fact, clicking anywhere on the text (i.e. the graphic file) would have resulted in the victim visiting the forged website, where he would be asked for his bank account credentials. 

• The link itself led to a site that was hosted on a private user’s computer, who was in all likelihood unaware that his system was being abused for this purpose. This method offers greater anonymity for the scammer, whose system is never directly connected to his victims.

• If the mail had only contained the graphic file, certain software filters might still identify it as a scam mail. For this reason, it contained one line of randomly generated text in a white colour. This text was invisible to any human reader (as it was displayed on a white background), but it would have been perfectly legible to a software filter. 

From a European perspective, this type of scam violates a number of regulations, such as:

• A number of offences in the European Council’s Cybercrime convention, such as illegal access (when a third party’s system is hacked to display the phishing site), computer-related forgery (the actual e-mail itself) and computer-related fraud (by using the stolen data to assume the victim’s identity).

• The data protection directives, to the extent that harvesting and abusing the victim’s personal data constitutes illegal processing.

• Intellectual property regulations, to the extent that the name or trademark of an unrelated organisation is abused for criminal purposes. On a European scale these problems are governed by a number of regulations including the Berne Convention and the directive on Copyright in the information society.

Obviously, phishing will also violate national transpositions and related regulations in the national law systems of the Member States.