Oregon State Bar Bulletin — OCT0BER 2004

Legal Practice Tips
GONE PHISHING
Protecting online identity
By Ravi Puri

With the increase of Internet usage as a daily activity among the global population, there is a need for education to protect your (and your clients’) online identity. Although you may not be sacrificing your physical attributes when you are on the Internet, you could be giving up your personal attributes, which may be much more valuable.

From late 2003 to the present, there has been a noticeable rise in phishing (sounds like ‘fishing’). Phishing is defined as an e-mail (typically spam/unsolicited e-mail) that is "spoofed" to look like it comes from a legitimate company that you have an online account with (i.e., eBay, Citibank). Combined with a link to a fraudulent website within the e-mail, to hook a few customers, phishers then reel you in to divulge personal information, such as user names and passwords for accounts, credit card numbers, and so on. By improperly copying pictures and websites of well-known companies and services without authorization (violating state and/or federal laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act Of 2003 (CAN- SPAM), 18 U.S.C. §1037 and the Identity Theft Penalty Enhancement Act (ITPEA), 18 U.S.C. §1028A), phishers are able to use e-mail to convince innocent recipients to respond to their fraudulent requests.

Phishing websites are on the rise, as are the costs to discover, react to and remove these websites. Spreading awareness and education to your clients could significantly reduce the numbers of innocent individuals who get lured into scams and risk losing their identity.

The Process
A phishing scam starts with a domain name registrar. Registrars receive an online transaction for a domain name registration. The person who inputs the credit card information also uses the correct billing information for the card to allow for a successful transaction. Whether that credit card information was obtained through a previous phishing website or through other means is unknown. Consequently, with all the correct information submitted, the credit card usually clears the payment processor without any knowledge of who actually submitted the information. In fact, it looks as though the card owner entered the information on his or her own. The same billing contact information is then used for the administrative/account contact information for the domain name. Even if a human looks at the contact information, there is no knowledge of a fraudulent transaction unless a human takes the time to verify the information (i.e., call the listed phone number).

As more domains continue to be registered, the scam continues to the website hosting company. In some cases, the registrar for the domain name is also the hosting company. When the hosting account is paid for, the phisher may upload files to the hosting account to establish a website for all to see. Similar to the registrar situation above, the credit card transaction for the hosting service looks as though the cardholders themselves entered the information for the service. Without having a human verify the contact information, it is hard to discover any fraud. Once again, with no human looking at each file and website created, a fraudulent website can be formed. For an example of a phishing website, go to www.privacyrights.org/ ar/phishing.htm.

The next step is to send out an e-mail, most likely unsolicited (spam). This can be done through services provided by a registrar (i.e., Dotster/ Namesdirect), a hosting company for the website (i.e., Hostlane/ Trellix), an Internet Service Provider (i.e., AOL/Comcast), or an online e-mail account (i.e., Yahoo!/Hotmail). E-mail accounts are very simple to set up while posing as a legitimate person, since many services are free and do not require credit card authorization. Once the e-mail account is set up, the e-mail sent by a phisher typically requests an ‘urgent’ update to personal information to avoid having an account closed or to prevent an online purchase from being misguided. With a convenient link provided in the e-mail for someone to click, it is quite easy to go to a webpage to ‘update’ information. Unfortunately, the ‘update’ will only go to a phisher, not to a legitimate company.

Since phishing e-mails mimic legitimate companies, it is hard for spam filters to decipher and/or block legitimate mail as opposed to a phishing mail. You may receive, if you haven’t already, an e-mail from the company you have an account with and subsequently a phishing e-mail posing as the company you have an account with. In some cases, the phishing mail may look more legitimate. A list of recent phishing scams is typically updated on www.antiphishing.org and www.fraudwatchinternational.com/index.htm.

Since thousands of people are lured in to give up personal information to a phishing website, because of a sophisticated e-mail, there are thousands of people that need to re-establish their identities and credit. This results in a cost to issue new credit cards, accounts and passwords in addition to using your valuable time to contact numerous companies and individuals to re-establish your identity as well as reputation.

The ease of being able to click a link in an e-mail to update account information appears to save time, money and headache. The problem arises when a person clicks a link in an e-mail that goes to a phishing website, rather than taking the extra few seconds to type in the correct company’s website into their web browser (i.e., Internet Explorer/Mozilla). This extra step could ensure a more secure method of logging in to an account for ‘updating’ purposes.

The Penalty
With the enactment of the federal CAN-SPAM Act and ITPEA — and other state and federal laws — if a phisher can be found, he could be prosecuted. Unfortunately, there has been slow implementation of the law upon violators, as it is hard to locate the perpetrators. Many phishers may be located outside the United States or are able to pose as though they are located outside the U.S. by hiding their Internet Protocol ("IP") address or taking control of an innocent person’s computer and directing commands from that computer from a remote location. (An IP address is much like a phone number on the Internet. It is made up of numbers that translate into a destination/computer logged on to the Internet at a particular date and time.)

Despite the slow implementation, AOL, Yahoo! and Microsoft, among other companies, have brought cases against violators of their services. However, there have been limited cases which have completed trials and led to a judgment; most cases have settled outside of court.

One recent case should hopefully serve as a warning to other phishers. In Federal Trade Commission (FTC) v. Hill, Zachary Keith Hill was sentenced to 46 months in prison after pleading guilty to phishing activity. (FTC v. Hill Complaint can bee seen at http://tinyurl.com/3h4fw). Hill illegally obtained hundreds of credit card and bank account numbers in addition to user names and passwords for Internet accounts through the use of his phishing websites.

Given the harsh punishment imposed of almost 4 years imprisonment, awareness and fear by the publication of this case should hopefully reduce the rapid increase of phishing websites being created.

The Remedy
Although there is no foolproof method to prevent phishing, through education and awareness of phishing scams and some safety tips, we should be able to reduce the amount of innocent people affected. If you or your client(s) are already victims of phishing and need to reclaim your identity, the Federal Trade Commission has a thorough website on identity theft, http://www.consumer.gov/idtheft/consumertopics_bk.html, which can be of assistance.

Through cooperation between individuals and companies, including registrars, hosting companies, e-mail providers and Internet service providers, we should be able to cut down on the increase of phishing websites. In addition, the publication of successful cases against phishers should create some fear and possibly reduce the increase in phishing activity that has affected millions to date.

Safety Tips
One of the safest measures one can take when responding to an e-mail, despite the authentic look of the e-mail, is that of typing the "www.company-domain-name.com" web address for the company directly into the web browser, rather than clicking a "handy" link supplied in an e-mail. For example, by typing in www.ebay.com into the address bar of the web browser, rather than immediately clicking a link that may say "www.ebay.com," individuals can be assured of what website they are going to when they go to update their information. Although it may take a few extra seconds to type out the address, doing so will prevent an individual from downloading a virus or getting re-directed to another website without knowledge of whether it is legitimate or not.

An example of "re-direction" is the "click here" button/link. When you click the words click here in e-mails or on websites, it re-directs/links to another website. Similarly, phishers use this re-direction/link technique by asking you to click the words "www.company-domain-name.com." Although you may think it is linked to "www.company-domain-name.com," the words may just as well be "http://www.random-letters- asdfjkl.com" or be just as simple as "update here" because when you click the button/link, it re-directs/links to "http://www.phishing-site.com." If you typed "www.company-domain- name.com" into your web browser, you would reach "www.company-domain-name.com," not "www.phishing-site.com."

Cooperation
In addition to typing domain names directly into your web browser (or even the simpler method of cut and paste) rather than clicking a button/link, you and/or your clients should: 1) verify whether the "from" address in an e-mail is someone they know; 2) keep up with the anti-phishing lists that are updated with recent phishing scams and 3) report suspicious activity to the appropriate company to take immediate action and to hopefully prevent another innocent person from being "phished."

Contact information for domain names, known as "Whois information," are publicly available free of charge (i.e., www.dnsstuff.com; www.betterwhois.com). The concept of a Whois database is to be an online phone book for domain names. Sample Whois information for a domain name includes contact information for the registrant and administrative contact, the name of the registrar for the domain, and the domain servers/nameservers for the domain that provide it with either hosting services or forwarding services to automatically link to a hosted website.

Getting in contact with the administrative or abuse department of innocent companies involved (typically abuse@company-domain-name.com) to report a website will speed up the process of having illegitimate websites removed before they begin collecting sensitive personal information from innocent people. In addition, by reporting phishing e-mails to anti-phishing organizations (i.e. Http://www.antiphishing.org/report_phishing.html), other Internet users can use the updated list to protect themselves from being defrauded.

With the combination of being more careful and taking a little extra time to respond to ‘urgent’ e-mail requests for an update to personal information, individuals can move toward being more protected from online identity theft in their daily life. Working together with all companies defrauded in a phishing scam may lead to the capture of notorious phishers and the ultimate goal of a reduction in the increase in phishing activity.

What Next?
Following the safety tips above and spreading the awareness of phishing scams may be the best remedy at this time. Reporting phishing incidents and working with all companies involved will allow for a flow of information and potential justice for those lured into identity theft. Taking the time to help yourself and others, while educating everyone involved, should eventually lead to better protection of one’s identity and wealth while reducing the risk of theft.

Handy sites

For more information on phishing, see the following websites:

1. Registrars Against Phishing Scams (RAPS): http://www. Stopphishing.com

2. Trusted Electronic Communications Forum: http:// www.tecf.org/

3. FTC Phishing Alert: http://tinyurl.com/kg2p

4. FTC information on Spam: http://tinyurl.com/36e97


ABOUT THE AUTHOR
Ravi Puri is the in-house attorney for Dotster, Inc. (www.dotster.com), a domain registrar. Websites mentioned in this article are for reference only. Author is not liable for any content on the websites listed in this article. See www.tinyurl.com to help reduce long website addresses to short links for documents and other website usage.

© 2004 Ravi Puri


return to top
return to Table of Contents