Text size

There didn't appear to be anything fishy about the e-mail message that "H.," an Israeli woman whose family lives in the United States, received a few weeks ago. The body of the message - under the well-known logo of Citibank, in which she holds an American bank account - told her in a formal and polite tone that due to a possible attack by hackers on Citibank's computers, H. ought to enter the bank's site and change her user password there - just to be on the safe side. In order to do so, she was told on the impressive-looking Web page that opened when she clicked on the link in the e-mail message, H. would have to type in her user name, her old password and the new password she chose for herself. That's all, just a brief procedure to make sure that her bank account would once again be safe and secure.

But something did not look quite right to H. She has been conducting her business affairs abroad via the Internet for a number of years now, and this was the first time the bank and written to her with a request of this kind. She decided to put off typing in her personal details and waited a few hours until her parents on the east coast woke up so she could call them. She asked her father to call the manager of the Citibank branch to ask him about the message she had received from the bank.

Ten minutes later, H.'s father called her back. "The manager says this is the third `phishing' expedition the bank has had to deal with this week, and he hopes very much that you didn't reveal any information about your account. He also said you should immediately delete the message you received, and emphasized three times that the bank never sends messages in which it asks for personal details of customers. Any message that requests anything like that is by nature a fraud."

Hook, line and sinker

Without being aware of it, upon receiving the e-mail, H. had joined a growing club of "phishing" victims - the most common form of online fraud in the past year. About 57 million Americans and an unknown number of computer users from around the world have received similar e-mail messages, and millions have fallen for them.

The method is simple: The "phisher," who is also a spammer, mass mails messages that appear to come from well-known and reputable organizations - banks, online shops and pension funds. The messages bear the official symbols of the organization, including the logos and colors identified with the business, and they always contain a link to the organization's "official site," where the unsuspecting surfer is asked to update his personal details. The site to which the link sends him looks exactly like the official site of that organization. Very often, even the Web address that appears in the browser window appears to show that the surfer is indeed on the official site of the organization and can trust it, whereas in fact, what the surfer sees is an image that conceals the real address of the Web page.

The scam artist sending the messages works on the assumption that a certain percentage of the people who receive his message are in fact customers of Citibank, Amazon, eBay or some other well-known site, and that of that percentage, a certain amount will believe the message and proceed to surrender their personal details on the dummy site. He only needs to throw out a few nets for the gullible fat fry to swallow the bait.

From the moment they swallow, the sky is the limit. Some of the scam artists sell the user names, passwords, credit card numbers and expiration dates they harvest to other crooks, and some use the information themselves. Unsuspecting Internet surfers discover the fraud only much later. In the best case, they discover their credit card has been charged with purchases they never made. In worse cases, bailiffs may knock at their door one day and tell them they owe hundreds of thousands of dollars. And in the worst case, they may find themselves the target of an FBI or CIA investigation after the personal details fell into the hands of terror suspects that used them unlawfully. Any way you look at it, the burden of proof is on them.

A bigger sea

Ofir Arkin, the chief technologist of Insightix, and a former partner to the establishment of the online security system of a large Swiss bank, says that in recent months, not only has there been a sharp increase in the number of phishing attacks on the Web, but that the methods are becoming increasingly sophisticated too.

"The most common form of phishing is still by e-mail, but unfortunately, we are seeing scam artists making increasing use of malicious codes."

Last month, for example, the Danish security company Secunia discovered hackers could change a file in the Windows operating system in users' computers. As a result, every time the users type out a certain Internet address, they are sent to a dummy site that looks exactly like the site they want to reach.

Another form of fraud involves taking over DNS servers that translate the Internet sites typed in the form of letters into IP addresses the computer understands. The results are similar: The surfer who types in a particular Web address reaches a site that looks like the one he planned to get to but in fact operates as a trap. APWG (Anti-Phishing Working Group), a voluntary task group working to stamp Internet scams and fraud, announced in December, that more than 1,700 fictitious Web sites have been found whose only purpose is to fool surfers into surrendering their personal details.

A spokesman for MasterCard recently said at least 10 phishing attempts were carried out last month against holders of the company's credit cards. Citibank, Amazon and eBay have stopped trying to count the number of phishing attacks against their customers. The most recent counterattack involves the use of toolbars with databases of known dummy sites that warn the user if the site is entered.

"This phenomenon indirectly impacts negatively on the reputation of all these organizations," says Arkin, "but the main problem is that the phishing expeditions create an atmosphere of hostility and suspicion regarding all Internet commerce. Less savvy surfers that don't even know that phishing exits may simply be deterred from using the Internet if they do hear about it or if they get burned."

Banks and commercial Internet sites, in Israel too, understand the magnitude of the problem and are trying to educate the public and their customers. On Bank Leumi's home page, for example, surfers are instructed "never to reveal their personal password to anyone, even if identified with the bank." Bank Hapoalim's home page also clearly states, "You must never reveal or give your personal password to anyone, even if identified with the Bank. Should you be asked to reveal your personal password, you must refuse. Immediately report the incident to the person in charge of the Online Banking Center."

Although the police unit in charge of international crime says it is "aware of the phenomenon," the person in charge of data security in one of the larger banks in Israel says that to the best of his knowledge, no phishing attempt has been carried out yet in Israel against the customers of Israeli banks. The explanation, he says, is simple enough.

"It is much more profitable for phishers to throw out their net in the American or European markets, because the chances of catching large amounts of credit card numbers, passwords and user names are much higher, because there are many more potential marks there." Nevertheless, he is far from optimistic. "I have no doubt that phishing will reach Israel soon. It's just a matter of time," he says.