Phishing, Pharming and Plain Old Phraud

This entry is part of our June series on Identity Theft.  Check out all of our Identity Theft articles by visiting our archive.


Aside from hacking, perhaps the area of identity theft most publicized is phishing. The scam has become such a growth industry that support mechanisms are cropping up for sale, providing something akin to an illicit infrastructure and lowering the entry barriers for those wishing to try a new career. But indications are that the threat from phishing may be overtaken by another scam, dubbed pharming.

Phishing is done by creating a phony website that mimics the legitimate site of a legitimate company, usually a financial institution or a company that perfoms online sales transactions. The phisher then sends out spam that looks like it came from that same company. Using social engineering techniques typical of any con, the e-mail tries to dupe the recipient into going to the counterfeit website and giving up financial and personal information.

In April 2004 the spam filtering company Brightmail reported there were 3 billion phishing e-mails worldwide – that month.

In March 2005 the Anti-Phishing Working Group reported the rate of increase of unique phishing schemes has been an average of 25 percent – per month.

First Data Corp. released a survey last month that said 43 percent of adults have received a phishing contact, and five percent of them gave up personal information.

The support culture can be seen in the form of online offers of anonymous hosting of phony sites (often using a hijacked server, sometimes moved several times a day), toolkits, e-mail lists and e-mail tech management. There is a report of an illicit card verification service found in a chat room that would verify: limits, bank, validity, expiration date of cards.

All of these servcies lower the technological barrier of entry into this line of theft.

Businesses and law enforcement have responded with technology and education. As they have, the culprits have adjusted tactics. For example, early phishing attacks were heavily focused on large banks and companies, like Citigroup and eBay. As those companies mounted better defenses and education of their customers, the thieves began to switch to smaller targets, like regional banks, whose customers might not be as aware of the threat.

The latest twist to phishing? Sending personalized phishing messages that already contain some sensitive personal data about the target. These individual messages use stolen data to try to elicit even more information from the victim. Customers of financial services companies have been targeted, and the customer might receive a message looking like a message from the institution, including the customer’s name and full account number. The phishers may try to get more information, such as the PIN for an ATM or a credit card CVV (card verification value) code, the three or four digit number that is not raised and appears on the front or back of most cards as extra verification.

Pharming is done by surreptitiously redirecting a browser to a phony site where the user is duped into providing confidential information, thinking they are at the legitimate site of a business. Experts suggest there is an inherent weakness in the internet’s infrastructure, calling for new methods of authenticating users and websites.

When enough information is acquired, the problem may not stop with the original scam. If the fraud is committed by using an existing account, the victim closes it and solves that problem. But with enough information, a perpetrator can open new accounts. Those new accounts are more difficult to discover, and that longer discovery often means greater losses, not directly to the consumer in terms of money, but to the consumer in terms of time and reputation and to the business that was victimized.

There is also a secondary market where data is re-sold. There are sites and chats where stolen data is marketed. MasterCard announced last month that it had uncovered more than 35,000 MasterCard account numbers being traded on the web and on internet relay chat channels in the past year. They said they’ve closed nearly 1,400 phishing websites and more than 750 sites set up to trade credit card information. The New York Times recently published an article about the open trade of credit card information. (Free registration required.)

A recent ComputerWorld article on “Pharming for Profits” offers more insights about pharming and phishing.

You can test your phishing acumen with an online quiz (takes about 5 or 10 minutes to complete), just visit the MailFrontier Phishing IQ Test. How well can you spot the con?