Kate Trower never found out who was trying to trick her company's customers into giving up their credit card information, but she did learn about their taste in music.
Trower, a fraud investigator for Atlanta-based Internet service provider EarthLink, chased the "German phishers" for months. The scammers built Web pages designed to look like an EarthLink-affiliated site, then sent e-mails to EarthLink customers, prompting recipients to offer up their private financial data and Internet account passwords. Every time the company shut one site down, another would pop up.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
They earned their name by redirecting Web surfers who stumbled onto their half-built pages to the site of a German goth rock band. It may have been nothing more than a paean to their favorite music group, but it also allowed the phishers to keep an inventory of their dormant sites using nothing more than an Internet search engine.
"These guys would... use the rock band redirect to keep tabs on us in a way," Trower said. If the phishers clicked on the Web sites and discovered that they no longer led to the German band, they knew investigators had shut down the sites and were hot on their trail.
Trower's search illustrates the lengths that businesses are going to in order to stop a form of fraud that uses their good names to steal. A 1,200 percent increase in attacks since January has forced the companies not only to redouble their efforts, but to change the way they use the Internet to communicate with their customers, each other and law enforcement officials. Without those changes, experts said, phishing will contribute to an erosion in consumer confidence at a time when online businesses cannot afford the loss.
ISPs are the front-line infantry in the war against phishing. They are responsible for protecting their customers from fraud and making sure no one uses their networks to scam other companies. A year ago, each attack against EarthLink generated about 20,000 customer support calls at an average cost of $127,000 per incident, Trower said. At the time, the company battled approximately three new attacks each week.
Now, thanks in part to investments in technology that can prevent customers from seeing bogus Web sites and e-mails, EarthLink gets around 300 phone calls and spends just under $5,000 per incident. Still, the nation's fourth-largest ISP encounters about 15 new phishing scams a month featuring e-mail that purports to come from its own service. It also remains among the top 10 most-targeted companies.
Web of Deceit
Phishers now focus almost exclusively on banks and online shopping sites. During the past 10 months, nearly 60 percent of their attacks targeted Citibank or US Bank, according to the Anti-Phishing Working Group. EarthLink and America Online are the targets for about 3 percent of the scams.
Phishers profit by stealing personal financial information and teaming up with international criminal syndicates that include computer hackers, virus writers and identity thieves. Working together, they fence the stolen data and cover their tracks by routing their e-mails and Web sites through multiple Internet hosts.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, said the hosts include home computers that have been infected with worms or viruses configured to relay spam. In other cases, the attackers break into unprotected PCs and install Web servers that run phishing sites off hijacked computers. The majority of those hosts are located in the United States, China, Taiwan, Korea and Russia, according to Websense, an Internet security firm in San Diego.