A current type of electronic scam uses an e-mail spoof (a deceptive e-mail message) and a fraudulent web site designed to fool consumers into divulging personal financial data such as credit card numbers, bank account information, user names and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, on-line retailers and credit card companies, Internet scammers are able to convince up to 5% of recipients to respond to them. In essence, these scammers are fishing for sensitive information, hoping that consumers will be duped into providing it. The term phishing has been coined to describe this type of scam.
In a phishing scam, the scammer sends an e-mail message that claims to be from a business or organization that you normally deal with, for example, your Internet service provider, bank, on-line payment service, or even a government agency. The message usually says that you need to “update” or “validate” your account information. It might threaten some consequence if you do not respond. The message directs you to a spurious web site that looks just like a legitimate web site. The purpose of the spurious web site is to trick you into divulging your personal information so that the scam operators can steal your identity and run up bills or commit crimes in your name. There is no effective approach or product to either identify or block unknown phishing e-mail messages in the current market.
FIG. 1 is an example of an actual phishing e-mail message. Table 1 below summarizes the content of the phishing e-mail message.
TABLE 1SubjectRegarding Your XYZBank ATM CardTargetXYZBank customersFormatHTML e-mailApparent SenderXYZ Identity Theft Solutions [support@xyzbank.com]From the RealNo.Organization?Call to Action“In order to safeguard your account, we require that you updateyour XYZBank ATM/Debit card PIN . . . This process is mandatory,and if not completed within the nearest time your account may besubject to temporary suspension.”GoalGetting victim's XYZBank credit card and bank account numbers,and credit card PIN.Call to ActionURL HyperlinkFormatVisible URLhttps://www.xyzbank.com/signin/xyzfi/scripts/login2/update_pin.jspActual URLhttp://61.128.198.62/Verify/Spurious Web SiteLocated at: 61.128.198.62
If one were to perform a right click on the phishing e-mail message and select “View Source” in the menu, the following would be visible as part of the source code:<a href=http://61.128.198.62/Verify/>https://www.xyzbank.com/signin/xyzfi/scripts/login2/update_pin.jsp</a><br>
This code indicates that the actual address to where the consumer will be directed is the IP address “61.128.198.62,” instead of to the domain name www.xyzbank.com as is shown on the face of the e-mail message. The problem is that most consumers will never check this source code. Once a consumer clicks on the spurious URL link, two browsers are created that have the appearance of an official XYZBank web site (in this particular example).
FIG. 2 shows two windows that are open. In the background the scammer has opened a browser that shows a page from the official XYZBank web site (or in some cases even the background window will be fake). In the foreground is what looks to be a small dialog box from XYZBank, but in reality it is a second browser that has also been opened by the scammer for the purpose of stealing sensitive consumer information. This phishing browser window mimics a dialog box that a consumer would think has been created by the official XYZBank web site. To hide the fact that this second window is actually a new browser showing a spurious web site and not a dialog box, the scammer also fakes the SSL lock icon and disables the original one, hides the status bar (so the open-lock icon will not appear), and draws a fake 128-bit SSL icon. Once the consumer enters his or her sensitive information the scammer has access to the information and can then perform illegal actions with the stolen information.
There are current approaches to deal with phishing. For example, the following have been proposed: strong website authentication, mail server authentication, digitally-signed e-mail with desktop verification, and digitally-signed e-mail with gateway verification. Strong website authentication would require all users of legitimate e-commerce and e-banking sites to strongly authenticate themselves to the site using a physical token such as a smart card. Mail server authentication requires almost all ISPs, web e-mail providers and corporations to publish their mail server authentication information and install mail server authentication software as part of their e-mail filters. There are numerous technical proposals such as RMX (resource record on DNS) and SPF (Sender Policy Framework) for how this would work. The digitally signed e-mail with desktop verification approach is based on the use of the existing industry standard S/MIME, which is a secure e-mail standard supported by most e-mail client software that is in use in corporations today. Companies who are vulnerable to phishing attacks would send their e-mail messages with a digital signature attached. If a message arrives for a user that is either not signed or the signature can not be verified, the user would know that it is not a genuine message from the sending bank or e-commerce provider. The digitally signed e-mail with gateway verification approach uses the S/MIME standard for e-mail that is widely available today. Instead of relying on the end user's e-mail client to verify the signature on the message, a gateway server at the mail relay level would verify the signatures before they were even received by the receiver's e-mail server. For a variety of reasons, these solutions are not optimal. For example, strong web site authentication and mail server authentication can be difficult or complex to deploy due to technical or political issues. Also, the approaches of digitally signed e-mail with desktop verification or with gateway verification have been adopted by some companies are not widely used.
Other approaches are also being tried but are not optimal. For example, one technique would be to use anti-spam software to block phishing attempts from known senders of fake e-mail messages. Briefly, a vendor would analyze the fake e-mail message and create a pattern file to distribute to end-users. It would take some time for the pattern to be developed and for the pattern to be distributed. This technique is often not effective since the scammer's web site would likely be shutdown once they are found out and become known to anti-spam software developers. Even if not found out, some phishing web sites may disappear within a few days or even after a few hours. Also, a consumer might not update their anti-spam software in a timely fashion. And this technique only stops phishing from known senders. More problematic are phishing e-mail messages sent from unknown entities. Most anti-spam products would not catch this kind of e-mail message since phishing e-mail messages often look even more formal than official messages from real vendors. It could be possible to tune the anti-spam software to intercept unknown phishing messages, but this would likely result in any normal message from outside businesses also being blocked. This result is not desirable for the consumer as well.
Other techniques use software agents on a client computer to combat phishing-related e-mail messages. Published U.S. patent application Ser. Nos. 10/733,655 and 10/273,236 both are examples of agent-based techniques. An agent-based technique is not optimal in that it requires special software on the end-user computer that can be expensive and difficult to maintain.
Thus, further improvements are needed to address the phishing attack.