CNN.com Experts: 'Phishing More Sophisticated'
By Walter E. Stewart, Jr., Executive Vice President and Chief Operating Officer
Legal Mutual Liability Insurance Society of Maryland

No sooner had Legal Mutual released its Winter 2005 edition of “The Solicitor” with the article “IDENTITY THEFT: Fishing is Legal, Phishing is Not” when it received an article from CNN.com™ entitled “Experts: ‘Phishing’ more sophisticated.”

Legal Mutual was unable to obtain permission to reprint the article in its entirety from Reuters in time for our release date; however, highpoints of the article are summarized as follows:

  • Internet “phishing” scams are becoming more difficult to detect as criminals develop new ways to trick consumers into revealing passwords, bank account numbers and other sensitive information.
  • Scam artists posed as banks and other legitimate business in thousands of phishing attacks last year, sending out millions of “spam” e-mails with subject lines like “account update needed” that pointed to fraudulent Web sites.  These attacks now increasingly use worms and spyware to divert consumers to fraudulent sites without their knowledge.
  • If you think of phishers initially as petty thieves, now they’re more like an organized crime unit.
  • Phishing attacks reached an estimated 57 million U.S. adults and compromised at least 122 well-known brands so far.  At the end of 2004 almost half of these attacks contained some sort of spyware or other malicious code.
  • One type of attack misdirects Web surfers by modifying a little-known directory in Microsoft Windows machines called a host file.  When an Internet user types a Web address into a browser, they are directed instead to a fraudulent site.
  • Another type attack targets the domain-name servers that serve to match domain names with numerical addresses given to each computer on the Internet.  If one of those computers is compromised, Internet users who type in a legitimate Web site address could be directed to a look-alike site run by identity thieves.  Domain-name servers are tougher to crack, but it can be done by dedicated hackers.
  • Scam artists are getting more and more sophisticated and now commonly include legitimate looking links within their Web addresses.  Consumers who click on what appears to be a legitimate link in these messages are directed to a fraudulent Web address buried in the message’s technical code.
  • It was reported that MasterCard International has caught at least 10 phishing scams involving www.mastercard.com over the past two months.
  • It was suggested that Internet engineers should also figure out a way to authenticate Web addresses, much as they are currently figuring out how to make sure e-mail addresses are legitimate.
  • One expert felt the convergence of all of these threats means we can expect to see some large attacks in the near term.

Most of the information contained in this article was reported in our previous “phishing” article in the Winter 2005 issue of “The Solicitor;” however, the CNN.com™ article certainly corroborates our article.  You can protect yourself with software that screens out viruses, spyware and spam, and with firewalls; however, businesses, especially on-line businesses, will have to take serious steps to further protect themselves.
Legal Mutual: 410-296-4101 I 410-296-4088 I 410-296-4089
1-800-638-8947 (Maryland Only)
Fax: 410-296-4910 I 1-800-287-6800 (Maryland Only)