Kate Trower never found out who was trying to trick her company's customers into giving up their credit card information, but she did learn about their taste in music.
Trower, a fraud investigator for Atlanta-based Internet service provider EarthLink, chased the "German phishers" for months. The scammers built Web pages designed to look like an EarthLink-affiliated site, then sent e-mails to EarthLink customers, prompting recipients to offer up their private financial data and Internet account passwords. Every time the company shut one site down, another would pop up.
They earned their name by redirecting Web surfers who stumbled onto their half-built pages to the site of a German goth rock band. It may have been nothing more than a paean to their favorite music group, but it also allowed the phishers to keep an inventory of their dormant sites using nothing more than an Internet search engine.
"These guys would... use the rock band redirect to keep tabs on us in a way," Trower said. If the phishers clicked on the Web sites and discovered that they no longer led to the German band, they knew investigators had shut down the sites and were hot on their trail.
Trower's search illustrates the lengths that businesses are going to in order to stop a form of fraud that uses their good names to steal. A 1,200 percent increase in attacks since January has forced the companies not only to redouble their efforts, but to change the way they use the Internet to communicate with their customers, each other and law enforcement officials. Without those changes, experts said, phishing will contribute to an erosion in consumer confidence at a time when online businesses cannot afford the loss.
ISPs are the front-line infantry in the war against phishing. They are responsible for protecting their customers from fraud and making sure no one uses their networks to scam other companies. A year ago, each attack against EarthLink generated about 20,000 customer support calls at an average cost of $127,000 per incident, Trower said. At the time, the company battled approximately three new attacks each week.
Now, thanks in part to investments in technology that can prevent customers from seeing bogus Web sites and e-mails, EarthLink gets around 300 phone calls and spends just under $5,000 per incident. Still, the nation's fourth-largest ISP encounters about 15 new phishing scams a month featuring e-mail that purports to come from its own service. It also remains among the top 10 most-targeted companies.
Web of DeceitPhishers now focus almost exclusively on banks and online shopping sites. During the past 10 months, nearly 60 percent of their attacks targeted Citibank or US Bank, according to the Anti-Phishing Working Group. EarthLink and America Online are the targets for about 3 percent of the scams.
Phishers profit by stealing personal financial information and teaming up with international criminal syndicates that include computer hackers, virus writers and identity thieves. Working together, they fence the stolen data and cover their tracks by routing their e-mails and Web sites through multiple Internet hosts.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, said the hosts include home computers that have been infected with worms or viruses configured to relay spam. In other cases, the attackers break into unprotected PCs and install Web servers that run phishing sites off hijacked computers. The majority of those hosts are located in the United States, China, Taiwan, Korea and Russia, according to Websense, an Internet security firm in San Diego.
Investigators have even seen phishers advertise "work at home" scams that ask home computer users to conceal the phishers' locations by forwarding money, stolen goods or Internet traffic to other countries, said Kevin E. Leininger, president of ICG Inc., a Princeton, N.J., company that helps companies track down cyber-criminals.
Leininger said phishing poses a formidable challenge to law enforcement because it makes lucrative, coordinated, large-scale fraud appear to local investigators as small-time, disconnected cases of online thievery.
Banking on PhishingFor their part, banks are pooling their resources. In September, members of the Financial Services Technology Consortium -- a group of banks, financial services firms, universities and government agencies -- began compiling a database of phishing sites that they plan to make accessible to banks and federal authorities.
The goal is to allow investigators to share intelligence and quickly determine whom to contact at various ISPs and law enforcement agencies, said Catherine A. Allen, chief executive of the Banking Information Technology Secretariat. BITS is a sister group of the Financial Services Roundtable, which represents 100 institutions that handle 70 percent of the economy's financial transactions. The group focuses on e-commerce, payments and emerging financial services technologies.
The database could help state and federal law enforcement initiate more investigations by linking geographically dispersed victims who lose money in the same scams. Federal authorities usually will prosecute a crime only if the victim loses more than $50,000, said Mark Rasch, a former prosecutor for the Justice Department's computer crimes and intellectual property section. In most cases, individual phishing victims lose far less than that.
A private-sector anti-phishing database would complement the hundreds of fraud cases reported each day, said Dan Larkin, head of the FBI's Internet Crime Complaint Center in Morgantown, W.Va.
"That's really the role of our facility here -- packaging those complaints up as quick as we can and marketing the cases to law enforcement across the country," Larkin said. "Unfortunately, the sophistication of these schemes is morphing constantly because the crooks are also sharing information on what works and what doesn't."
Only a handful of people have been convicted for taking part in phishing scams, but Larkin said that "a number of aggressive phishing investigations are underway."
In September, the Justice Department, FBI, state and local police departments, and private companies kicked off an operation called "Digital Phishnet" to identify and catch phishers. Taking part in that broad investigation locally is the Virginia Cyber-Crime Strike Force, which includes four full-time FBI agents, a Virginia State Police trooper, and two investigators from the office of state Attorney General Jerry W. Kilgore (D).
Several investigations have already yielded results. Among them:
* In late October, the U.S. Secret Service and overseas authorities announced the arrest of 28 people on suspicion of running Web sites that were designed to steal, sell and forge credit cards and identification documents.
* In August, the FBI, the Federal Trade Commission and the Postal Inspection Service announced the arrests or convictions of more than 150 people in a nationwide crackdown on Internet fraud, including a Ukrainian man who allegedly used Internet chat rooms and his own Web site to buy and sell stolen credit card data.
In addition, federal investigators now have stronger legal tools at their disposal. The Identity Theft Penalty Enhancement Act, signed into law by President Bush on July 15, prescribes stiff prison terms for those who use identity theft to commit other crimes.
Catching CriticismBanking customers are among phishers' favorite marks, but some consumer advocates and security experts said banks are not investing enough money and other resources in fighting online fraud.
Fran Maier, executive director and president of TRUSTe, a nonprofit privacy group in San Francisco, has spent several months trying to persuade the nation's largest financial institutions to pony up a few hundred thousand dollars each to fund a $10 million public-service ad campaign to alert consumers. So far, she said, some have expressed interest in the idea, though none has pledged funding.
"We have to go back to the advertising playbook by using reach and repetition through television, radio and billboards," Maier said. "And it can't be done in just an e-mail or Web-based campaign, because that's exactly where people are getting phished."
Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not heed their companies' own advice. Too often, he said, banks send e-mails to customers offering balance transfers and other deals by asking them to click on a Web site link and enter their information.
"If the corporate policy is never to send e-mails that contain links to Web sites asking for your personal information then these businesses need to work harder to normalize their behavior so that consumers will know what's abnormal," Sachs said. "The fact is some banks still send out e-mails that look remarkably like phishing scams."
Sachs said online merchants, banks and credit card companies need to invest in technologies used by most European banks that require customers to use one-time "identity tokens" or smart cards -- in addition to user names and passwords -- to get their financial information over the Web.
For now, U.S. banks are relying on warning their customers about phishing through mailings sent with their monthly statements. They say that they never ask for personal information in an e-mail message. Citibank recently joined other financial institutions, including Suntrust Banks Inc. and Washington Mutual Inc., in posting fraud advisories on their Internet home pages.
But some disenchanted customers are choosing the most effective phishing cure: no more online banking or shopping.
Rhonda Gifford, 37, said she has "had it" with e-commerce after getting hooked by a phishing scam. Weeks after she entered her personal information at a faked PayPal site, fraudulent charges for adult Web sites and a new Internet account in Saskatchewan showed up on her credit card. The scammers also wired more than $800 out of the Olive Hill, Ky., resident's checking account via Western Union to somewhere in Pakistan.
After she canceled her accounts and filed a fraud report with credit-reporting bureaus and local police, Gifford's bank suggested she refrain from online banking -- at least for a while. The bank told her that before too long, someone would probably try to open new lines of credit in her name. These days, she just waits for the next attack.
"I used to shop with my credit card online all the time for all sorts of different things that aren't available in this rural community," she said. "Now, it's like, forget it, not any more."
