A recent press release from the Canadian Bankers Association (CBA) and the RCMP warning Canadians to be cautious of unsolicited e-mail appears to be well timed as statistics show the number of phishing sites is increasing.
In the first months of 2005 there was a 60 per cent increase in the number of active reported phishing sites compared to the last months of 2004, according to statistics from the Anti-Phishing Working Group. In March 2005 there were 2870 reported Web sites actively harvesting unsuspecting users’ personal information.
But there is a silver lining. Though there has been a noticeable increase in the number of phishing attacks during the past six months, success rates are down, according to a source (who requested anonymity) at a major Canadian bank. Though he would not divulge the specifics of the attacks, he did say the scams are often run locally. “When they come in to get the money, they are right here in Canada,” he said, even if the Web site is hosted elsewhere. “And we’ve had [the scams hosted] all over the place…from the Philippines to Korea to Germany.”
The monetary losses to Canadian banks are apparently small when compared to credit card fraud. Last year Canadian financial institutions wrote off $163.18 million in fraud, according to statistics on the CBA Web site.
A fraud investigator (who also requested anonymity) said a contact at one of the major banks recently claimed that it is losing about $100,000 a month to phishing scams, and that most of the loss is due to the cost of labour to track, monitor and shut down sites and accounts rather than actual money being removed from accounts.
Robert Garigue, the chief information security officer with BMO Financial Group, concurred that the numbers are comparatively small. “I haven’t seen any of that aggregation (of total losses) but honestly it is still very much small in comparison to some of the other activities around fraud.”
The bigger complaint for the bank employee is with some ISPs. Many ISPs are very helpful, he said. “In a good case we have [a phishing site] shut down in 15 minutes.” But that is not always the case. He had some particularly scathing remarks for large American ISPs. “The ISPs in the U.S. are not very co-operative because they are so big and they do have a lot of complaints…so when you call in they tell you to call the abuse department.” This can take hours and occasionally phishing sites remain live for 12 or more hours before they are shut down.
The fraud investigator said phishers know this so they host phishing sites with ISPs that are known to be slow to respond to shutdown requests.
BMO’s Garigue said phishing attacks are evolutionary in nature. “It is a normal process by which adaptation occurs, and it occurs on both sides of the fence,” he said. And the technology being used on the banking side is quickly improving. “There are a lot more alerts, a lot more statistical analysis, predictive models, et cetera, that counterpoints what the phishers are doing,” he said.
For example the banks use very advanced rule sets, the fraud investigator said. The triggers are often less about money leaving accounts than money entering one. If an account sees a lot of deposits coming from a wide array of IP addresses for a maximum transfer amount right after a phishing e-mail has been launched, there is a chance the account is involved, he said. The banks work together closely to monitor such activity, he added.
Garigue had a warning for those companies that think they are immune to phishing. “Anybody who has a trust mechanism can be subject to phishing, so it isn’t just one sector, it is pretty much across all sectors,” he said. “They don’t just target financial institutions.”
The CBA is also lobbying legislators to change laws, largely seen as ineffective, said Maura Drew-Lytle, senior manager of media relations. “Right now identity theft itself, and phishing is a form of identity theft, is technically not illegal,” she said. The CBA would like it to be illegal for an unauthorized source to possess personal information, she said.
With phishing defences improving, the next war may be on pharming, where thieves get unsuspecting individuals (or corporations) to download programs that take control of a host machine and redirect Internet traffic to a parallel site. When an individual types in a URL it is translated to an IP address. By taking over a local machine, or even an ISP server, a pharmer could redirect traffic and steal personal information unbeknownst to the individual.
But Tom Copeland, chairman of the Canadian Association of Internet Providers and the owner of an ISP, isn’t overly concerned with pharming per se. “If somebody were to gain access to my server at that level, certainly redirecting traffic is one thing that they can do, but at that level they have the power of God; they can remove data, period, and shut me down.”
Lance Cottrell, president of San Diego-based Anonymizer Inc., said awareness is key to avoid security pitfalls. “Companies need to stay on top of the security working groups to see what are the new threats coming down the pipe.”