Why phishing isn't just a crime against individual users

by John McCormick | Oct 10, 2005 7:00:00 AM

Tags: Cyberthreats, Spam, Viruses and worms, SECURITY, John McCormick, phishing, IT Locksmith Newsletter

Takeaway: Phishing scams are on the rise, and some are even beginning to target businesses rather than individual users. But regardless of the target, phishing takes a toll on more than the actual individual victim. John McCormick discusses the long-range effects of these scams and analyzes a pioneering new anti-phishing law.

We're still waiting for those Microsoft security bulletins, which Redmond has promised to release this week, and there's still a nice lull in new vulnerabilities and viruses. However, we can't say the same for phishing scams, which are still on the rise.

Details

Once again, Microsoft has pre-announced its monthly security bulletin release. (The software giant pulled the release for September at the last minute due to problems with the patch.)

However, even if Microsoft sticks to its schedule this time, the official release date is October 11. So, look for the details about the latest security bulletins in my next article; in the meantime, let's concentrate this week on phishing and other threats.

The "governator" goes phishing

While phishing may appear to be a threat that primarily affects individual users, it also poses a major problem for businesses, both directly and indirectly. The goal of most phishing attacks is to obtain personal information from an individual.

However, some scams are beginning to target business credit information—companies are often a better target because they have more money. Businesses are accustomed to paying an invoice when they get it without doing much research. In fact, this is an old scam: Just mail out a bunch of invoices using a professional-sounding name, and many companies will just send a check. This means that even seemingly harmless information about billing cycles and sample invoices can pose a threat.

As phishing increases, consumers are becoming more leery about giving out personal information online, which negatively affects confidence in online buying—just as companies are turning to the Internet for an increasingly significant proportion of their sales. This change in attitude is having a measurable impact. According to Forrester Research, 600,000 online banking users in the United Kingdom have turned their backs on online banking due to the phishing threat.

And according to BBC, 90 percent of American PC users have changed their online habits due to a fear of spyware. This includes changing browsers, dropping file-sharing software, and even avoiding some Web sites.

Given that number, how can this fail to affect online sales? Any way you look at it, this can't be good news for companies.

In an effort to fight back, California recently became the first state to actually make phishing a crime that you can sue over. On Sept. 30, 2005, Governor Arnold Schwarzenegger signed the nation's first anti-phishing bill. As hard as it may be to believe, until the new law went into effect, there was little or nothing you could do about phishing—even if you caught someone red-handed trying to steal your personal information.

The California Anti-Phishing Act of 2005 finally made it a civil offense to take any action to induce people to disclose personal data by falsely representing themselves as doing so for a business. The law included fines of $2,500 for each violation, and it lets victims sue for actual damage or $500,000 per violation, whichever is greater.

But the new California law is too narrow in its definition of phishing, and it doesn't apply to malware-based phishing. In addition, it poses little if any concern for any attacker not based in the state. However, it may trigger action in other states as have other pioneering California privacy laws.

U.S. Senator Patrick Leahy introduced a similar bill to Congress in February 2005, but the proposal has received little attention. Leahy's proposed bill would make it a federal crime even to create a fake business site that spoofs a legitimate business or to attempt to obtain personal information via e-mail. The bill provides specific protection for parody sites and includes other First Amendment protection.

And while the number of new security vulnerabilities and serious virus threats has remained very low recently, two-thirds of companies have suffered "significant" financial costs associated with IT failures in the last year, according to Silicon.com. One-third suffered damage due to direct phishing and hacking attacks.

Microsoft gets serious about security

For the past few years, the Redmond giant has been concentrating on plugging security holes in its products. However, industry insiders have been waiting for the company to enter the lucrative security field ever since Microsoft began acquiring security companies. Last week, Microsoft announced plans to release its business-oriented Client Protection software, which will put it into direct competition with Symantec and other security specialists.

While few details are available, we do know that it will integrate with Active Directory. Client Protection is the business equivalent of Windows OneCare, Microsoft's subscription-based end-user repair software. The new Client Protection software will ship in 2006, and testing will begin later this year. You can also look for the full working version of Windows OneCare to arrive next year, and it's currently in limited beta release.

Even if it isn't perfect, security software provided by Microsoft should help slow the spread of some viruses. That's because far more PCs will likely have the protection implemented than the excellent third-party antivirus tools already available today.

Recent threats

• A Wi-Fi vulnerability has surfaced in fully patched Windows XP Service Pack 2 systems. The hole in the Wireless Zero Configuration service is a local threat that can allow a user to gain higher privileges.
• A highly critical vulnerability has emerged in Kaspersky Anti-Virus programs. See the Secunia report for more details.
• Red Hat has announced updates for Thunderbird (Enterprise Linux AS4, ES4, and WS4) that fix remote spoofing and other vulnerabilities.

Final word

Reports about people changing their surfing habits should concern any business that's selling online. Phishing and spyware don't just affect unsophisticated individuals—they also have a financial impact on those who want to do business with them.

With the holidays approaching, I guess I should note that Electronic Arts has announced that Need for Speed Most Wanted will be ready to ship on November 22, the same day Microsoft plans to release the initial Xbox 360 consoles. I find it interesting that while Nicholas Negroponte, the cofounder of MIT's Media Lab, is moving forward on the proposed $100 notebooks for digitally deprived Third-World children in the One Laptop Per Child program, the connected world is eyeing $300 and $400 game consoles—the expected pricing for the two flavors of Xbox 360.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

What is phishing? LukCAD | 10/10/05

The answer is...in the article. RonBeck62 | 10/11/05

Phishing is: gshollingsworth | 10/11/05

It's fraudulent impersonation AlanGeek | 10/11/05

one reason Tech Locksmith | 10/11/05

phishing definitions Tech Locksmith | 10/11/05

Yes, it is full answer for me. LukCAD II | 10/11/05

More info for you sevenex | 01/29/08