May 1, 2007
"People are getting very creative about being tricky," he says. The purloined material gives phishers' and spammers' emails the appearance of legitimacy, and many consumers respond, thinking they are dealing with the actual retailer. That enables the crook to validate the unwary customer's email address for use in a later scam, or embed technology on the consumer's computer that captures keystrokes or other important data that can be used in identity theft or other types of fraud, Buck warns.
One method used by these devious crooks is to subscribe to a retailer's email newsletter. "The first email that comes to them has a whole bunch of important information for the phisher or spammer to use," he says. That includes all the content in the retailer's newsletter, commercials and advertising, as well as legitimate header information, such as domain addresses.
"What will happen is you might get an email that looks like it is coming from a major retailer, because the actual technical message header looks like it comes from MajorRetailer.com," Buck says. "But the advertising you see is for bootleg pharmaceuticals, bootleg or fake jewelry, body enlargement parts, or pump and dump schemes."
While there are no steps retailers can take to totally prevent this type of fraud, they can put a dent in it by authenticating with all the leading authentication technologies, such as Sender Policy Framework, or SPF; Sender ID Framework, or SIDF; and Domain Keys, Buck says.
"The good news is that if you are doing those things, then it becomes a lot more difficult for your brand to be successfully phished," he points out. "The bad news is that there is no ubiquity on the receiver's side (the Inter Service Provider side) that they are actually looking for those things. If 100 percent of the ISPs were actually checking for authentication, things like this would fail the vast majority of the time."
Consumer education also can play a role in preventing these types of phishing and spam schemes, he says. Retailers can post on their sites information on what their customers should look for to determine whether an email is legitimate or not. They also can refer consumers to their sites' privacy pages, where the retailers' domain names and IP addresses are listed.
While phishing and brand attacks are not yet having a large impact on retailers, they have the potential to create major problems, according to Buck. "Retailers need to go that extra mile to make sure they are covering themselves," he urges. Meanwhile, the number of email phishing sites has risen 180 percent in a year, according to the Anti-Phishing Working Group. It reports that the number of phishing websites designed to steal consumer passwords, credit card account numbers and other data through email scams rose to 27,221 in January.
The January 2007 figure was down from a 2006 peak of 37,444 phishing sites in October. The peak period continued through November, with 37,439 phishing sites, before tapering off to 28,531 in December 2006.
The APWG, which released its Phishing Activity Trends report for January this spring, also reports that the number of brands hijacked in email phishing attacks hit a peak last year of 176 in October. The January 2007 total was 135, up from 101 in January 2006.
Phishing attacks often use well known brands in email messages to lure consumers to websites that are designed to look as if they belong to the same brands, but instead are fraudulent sites used to steal consumers' personal information. Financial services companies were the targets of 88.9 percent of phishing attacks in January 2007, followed by Internet Service Provider sites at 4.4 percent, and retailers' websites at 2.2 percent, the APWG says.
Information in this article was edited from stories at InternetRetailer online
Topic: Wholesale News
Related Articles: security fraud
Article ID: 195
Entire contents ©2020, Sumner Communications, Inc. (203) 748-2050. All rights reserved. No part of this service may be reproduced in any form without the express written permission of Sumner Communications, Inc. except that an individual may download and/or forward articles via e-mail to a reasonable number of recipients for personal, non-commercial purposes.