Phishing Isn’t Fishing

May 1, 2008

The information available through search engines and other cyber sources have enhanced the prowess of the phishing criminal by making profiled lists of targets available.

One of the biggest dangers to cyber safety is Internet users who voluntarily and unwittingly give away personal information. Specifically, there is a community of Internet pirates who elicit Internet users into divulging personal information, which is in turn used to commit some form of cyber crime against the users.

These pirates, who are also known as “phishers,” purposefully and fraudulently misrepresent themselves as some legitimate entity when in fact they are not. Under the umbrella of the purportedly legitimate entity, the phishers induce the users into opening a gateway for extracting information from the users, which the phisers utilize for fraudulent purposes. While phishers are not new to the Internet, what is new is the phishers’ extensive ability to permeate the personal lives of Internet users.

Phishing criminals are scam artists. Just as in the non-cyber world, the cyber criminals who are the most effective are those who convince their victims of the legitimacy or authenticity of something that is not legitimate or authentic. Historically, phishers predominantly use e-mail as their conduit for perpetrating fraud. To elaborate phishers, unbeknownst to e-mail recipients, use e-mails to induce users into opening the proverbial “Pandora’s Box.”

These e-mail addresses are often harvested using illegitimate means such as spyware and programs that trawl Web pages to capture addresses. While this use of trawling is not new, the ability of phishers to attach themselves to historically inert search engines is. Specifically, the phishing criminal has evolved. In earlier times, this sort of crime was literally a fishing expedition. Unfortunately, the information available through search engines and other cyber sources have enhanced the prowess of the phishing criminal by making profiled lists of targets available, albeit illicitly. In other words, unlike in the past, phishers can break into sites that legitimately store personal information and then can extract what is needed for mass exploitation.

Thus, euphemistically speaking, phishers are now able to steal the whole phone book as opposed to just a single phone number. As such, the modern phishers have all the bait they need to capture the user without having to conduct a fishing expedition. (The phishers’ acts victimize not only individuals but also legitimate businesses.)

The reality is that the preventative safeguards that exist for this type of crime are anemic. The reason for this is primarily threefold. First, as of now, from a legal standpoint, phishing is a crime that is regarded as something less than and distinct from its common law counterpart. Specifically, the common law criminal act is better understood and more historically dealt with than the modern cyber criminal act. As the reader well knows, the legislature continually struggles with defining and punishing criminal acts associated with Internet usage. Second, phishing is an act that can be perpetuated from foreign countries and through many layers or barriers of encrypting platforms to protect the perpetrator.

As such, the criminal justice system is not only uncertain as to how to deal with phishers, but it is also presently unwilling to devote dollars to chase after elusive criminals that either may never be properly identified or may be situated somewhere where extradition is virtually impossible. Third, there is currently no software that is completely capable of filtering data transmission.

Is there an answer to the question as to whether the crime of phishing can be stopped? In today’s reality, given the present levels of prophylactic technology/software, the answer is, probably not effectively. On the other hand, the application of the time tested adages, such as let the buyer beware, remember that if something sounds too good to be true, it probably is, etc., have a lot of merit. Thus, these authors recommend that e-mail solicitations, no matter how credible they appear, should be carefully scrutinized. If you are not sure who an e-mail is from, the safest bet is to delete it. After all, guarding your personal information may translate into guarding your money, property, etc., as well as serve as the best prevention against one’s life becoming chaotic.

References
The Director of Research at SANS, Alan Paller, stated in the Journal of Counter Terrorism & Homeland Security International / Vol. 14, No. 1 magazine that, “their success level, and their ability to evade common defenses, is what’s new.”

Securing Your PC, A Complete Guide To Protecting Your Computer, Page 76 (2007).

Joel Liebesfeld, MA, MAS, is chief executive officer with CounterMeasureSecurity.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.

Phishing Isn’t Fishing

Recent Articles by Joel Liebesfeld

Digital Camera Forensics

Proposing a Digital Forensics Grange

Intellectual Property Theft as Blood Sport

Enterprise Theft by Cell Phone

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.