July 20, 2004

"There's a lot of activity in the former Soviet bloc, the Eastern bloc, Latvia and Ukraine," says John Curran, supervisory special agent with the Federal Bureau of Investigation's Internet Crime Complaint Center. "It definitely looks like there are organized groups."

Phishing involves sending fraudulent e-mails that appears to be from a legitimate organization -- such as a bank, credit card company, online merchant or Internet service provider -- asking the recipient to divulge personal and financial information like birth dates, Social Security numbers and PIN codes. Unlucky victims are then subject to identity theft, monetary losses and credit card fraud.

While Curran notes that a broad array of criminals appears to be involved in phishing attacks, ranging from teenagers to grandmothers, the FBI is investigating links to organized crime. So far, Curran hasn't seen any indication that crime syndicates with ties to the Mafia are involved.

The U.S. Secret Service has also noted an increase in organized crime involvement in phishing. At AIT Global's Annual InfoSec Meeting at the United Nations in June, Robert Caltabiano, assistant to the special agent in charge in the New York Field Office of the U.S. Secret Service, pointed to the increasing presence of organized crime in phishing attacks. Although Caltabiano recommended that victims first go to local law enforcement for help, he noted, "With phishing attacks, the information goes global."

The Anti-Phishing Working Group, an industry forum, reported 1,197 unique attacks in May 2004, up from 402 attacks in March. The group defines attacks as one unique e-mail blast. Dan Maier, a spokesperson for the Anti-Phishing Working Group and director of product marketing at Tumbleweed Communications, believes that organized crime participation in phishing has been increasing.

"Early on, it was amateurs," Maier acknowledges. "There is still some level of amateurs doing this, but more and more this looks like the work of professionals. There are a number of attacks against Australian banks that point back to Asian gangs. And we can tell by looking at the nature of some of the attacks, the ones that use common elements and come back to common Web sites, that multiple attacks are linked."

Making matters worse are hacker Web sites such as CarderPlanet.com and ShadowCrew.com that sell phishing starter kits. "There's a whole underground economy of trading credit card information back and forth and the tools for doing credit card fraud," Maier says. The Anti-Phishing Working Group has been working with the U.S. Secret Service and the FBI, but Maier says it has been difficult to prosecute these crimes because many of the attacks originate from foreign countries.

Nevertheless, there have been several successful prosecutions. The Moscow Times reported in May that the U.K.'s National High-Tech Crimes Unit arrested 12 Russian-speaking people who had been recruited by the Russian mafia to participate in a phishing scam. The suspects, who came from Russia, the Baltic republics and Ukraine, set up bank accounts in which money stolen from phishing victims was deposited. The money was later transferred back to syndicate members in Russia or used to buy goods. The suspects had been recruited in Internet chat rooms and through local Russian-language publications in Great Britain.

The New York Times recently reported that authorities in Romania had arrested 100 hackers involved with phishing attacks. The Romanian General Directorate for Combating Organized Crime, working with the Secret Service, arrested one hacker, Dan Marius Stefan, in September 2003. Stefan was convicted of stealing nearly $500,000 through phishing e-mails that claimed to be from eBay. He is now serving 30 months in jail.

Closer to home, the Federal Trade Commission has worked with the Department of Justice and the FBI on filing complaints and prosecuting several individuals, including Zachary Keith Hill, of Houston, Texas, who pleaded guilty in May and was sentenced to a 46-month prison sentence. Hill had been sending e-mails claiming to be from the AOL Billing Center.

"Within the last year, we brought three law enforcement actions against phishers," says Patricia Poss, an attorney with the FTC's Bureau of Consumer Protection. One of these, announced in July 2003, involved a minor in California who was charged with violations of the FTC Act and the Gramm-Leach-Bliley Act. The young phisher was sending out e-mails pretending to be from AOL. "We alleged he was soliciting personal information from consumers. We went to the defendant instead of AOL and reached a settlement," Poss says.

AOL isn't the only Internet service provider that has been a target. EarthLink has also noticed an increase in phishing activity and has been stepping up its enforcement efforts. EarthLink is offering a free downloadable toolbar called the Scam Blocker that prevents customers from accessing Web sites identified as phishing sites. EarthLink partnered with Brightmail and eBay on the initiative.

"We're reducing the number of phishers that a customer would have access to," says David Remick, manager of information security at EarthLink. EarthLink has also been partnering with law enforcement. "We've been working with the FBI and Secret Service and local law enforcement agencies," he added. "We traced back the source, and the majority of phishers are now being hosted overseas. This year, the No. 1 destination is South Korea."

Last year, EarthLink found that the majority of phishing sites was hosted domestically among smaller ISPs, so it built relationships with many of them to prevent phishers, only to see the traffic go overseas. "Based on our contacts within the FBI, they attribute it to organized crime in Eastern Europe and the Asia-Pacific countries," says Remick. "We don't know any success they've had prosecuting these criminals, but based on the increasing sophistication of the Web sites, and based on the language in the e-mails, we've been able to trace patterns and activities. We've got a more professional type of criminal that's leveraging these more sophisticated technologies."

This article originally appeared on July 07, 2004 in SecurityPipeline, part of CMP Media's TechWeb.