Privacy and Security

PHISHING IN POISONED WATERS:
The Escalation of Identity and Information Theft

By Lance Koonce
[May 2005]

In recent weeks, several major incidents of identity theft have made headlines, compromising the personal data of hundreds of thousands of consumers. Although these attacks are shocking with respect to both their scale and sophistication, they may be merely an indication of things to come, as cyber-criminals continue to upgrade their technological ability and coordinate their actions.

First, a brief review of the recent incidents:

  • April 15, 2005: HSBC North America begins notifying some 180,000 customers with HSBC General Motors-branded Mastercards that their personal information had been comprised in a security breach related to a transaction with a U.S.-based retailer, which new reports have identified as Polo Ralph Lauren.

  • April 14, 2005: Indian police arrest 16 employees of an Indian customer support outsourcing company in connection with the fraudulent transfer of more than $400,000 from Citibank customer accounts to bogus accounts in India. The 16 arrestees had stolen personal identification numbers from Citibank customers.

  • April 12, 2005: Reed Elsevier PLC, owner of LexisNexis, updates an earlier announcement that data for approximately 32,000 of its customers has been accessed by unauthorized parties, by increasing the estimate to 310,000 customers. In this instance, the identity thieves acquired passwords on numerous occasions over two years and may have accessed information such as social security numbers and driver's license information.

  • March 2005: DSW Shoe Warehouse discloses that information for over 100,000 customers has been compromised by a security breach of the company's database.

  • February 2005: ChoicePoint Inc. announces that cyber thieves have stolen data of 145,000 consumers nationwide.

  • According to British Internet security company Netcraft, in the past four months, the websites of Citizens Bank, Visa, MasterCard and SunTrust have been hacked by phishers in order to redirect users to fake sites. All of these institutions quickly fixed the problem once the intrusion was identified.

While identity theft is a concern for all consumers, these recent examples demonstrate that the effects of such attacks can be devastating for businesses. The scope of these attacks also indicates that it is imperative that businesses which store customer data in electronic form must have in place the most up-to-date technological protection at their disposal, with multiple safeguards, and must also have a systematic business and legal response to all cyber-attacks, with the goal of aggressively identifying and prosecuting offenders. While a number of legislative solutions have been proposed to address ID theft issues (some of which would place an extra burden on businesses, requiring them to disclose any such thefts to customers), currently the corporate victim of information theft must rely on self-help and existing laws that are not specifically designed to address such violations.

The above examples of identity theft apparently each involved different methods of accessing sensitive data. Below, we discuss several schemes that are proliferating on the Internet about which both individuals and companies should be aware.

Phishing. Phishing is a well-publicized cyber crime that involves scam artists sending out bogus emails disguised as official emails from a financial institution or any website where a user might store financial data like a credit card number. The email “bait” incorporates images and text from the official website and typically directs the user to a website that imitates the authentic website, in order to trick the user into entering a password, social security number or any other information worth stealing.

Phishing is no longer limited to phony emails. Internet criminals have gone to great lengths to ensnare innocent victims in their ever-expanding nets. “Bogus Blogs,” for example, are malicious web logs that can be posted on legitimate host sites. These blogs may contain harmful code that can infect a user’s computer with a virus that steals information or causes a user to visit a bogus site created to steal information. Similar attacks now appear in the form of instant messages as well.

Organized crime rings, many of which operate out of remote areas in the former Soviet bloc and the Eastern bloc, have coordinated large-scale phishing attacks targeting businesses of all sizes. Although phishing scams were once, for the most part, crude and easily identifiable, professional criminals are now infiltrating cyberspace with more sophisticated and organized efforts to target vulnerable businesses and users.

Pharming. A variation of phishing that has recently gained popularity among more highly skilled Internet thieves is “pharming.” A pharmer sends out email messages that have virus attachments. The virus is planted onto the user’s computer, and when the user attempts to log onto an official website, the program redirects the user to a bogus, but authentic-looking website. When the user enters a password or any other personal data, that information is stolen. Another form of the virus will actually track a user’s keystrokes on a real website and record information for the pharmer to later exploit.

DNS Poisoning. Another variation of pharming is called “DNS Poisoning.” When a user types a name into the web browser’s address bar, a Domain Name System server reads the name, finds the corresponding numeric address and directs the user to the official website. In a DNS Poisoning scheme, a hacker will alter a company’s IP address on a domain server so that when a user enters the correct web address, the server will direct the user to a different address that contains a bogus website, built to steal passwords and other data.

Cross-Site-Scripting. More and more scam artists have also begun to add malicious code or programs onto legitimate sites, in a scheme called “Cross-Site-Scripting.” When an innocent web surfer encounters this malicious code (which can appear, for example, as a mere hyperlink) the surfer may be redirected to a bogus website designed to steal information. The unauthorized code may also be used to perform other harmful acts to the innocent surfer, such as manipulating or stealing files on the surfer’s computer.

Wi-Fi Phishing. An innocent user who uses a wireless connection to the Internet may also be vulnerable to a separate type of attack. In a scam known as “Wi-Fi Phishing,” a cyber criminal misdirects wireless connections to phony websites that imitate legitimate sites. Wi-Fi Networks also make it relatively easy for criminals to log onto a neighbor’s network and perform misdeeds that could later be attributed to the person broadcasting the network signal.

How to Protect Yourself (and Your Customers). Monitoring and constantly updating your systems with the most recent technology is a critical first step to defend against the latest cyber-attack. But even with the best defensive systems, businesses likely must accept the fact that they will continue to be vulnerable as the technology being used in those attacks continues to evolve. It is therefore equally important for businesses to understand their legal responsibilities to customers and clients, as well as the legal strategies available to combat identity theft, from both a preventative and a response-oriented perspective.

Before an attack ever occurs, it is crucial that businesses undertake an exhaustive analysis of the manner in which customer information is received, stored, accessed, used and – eventually – purged. Literally every aspect of the transactions in which the information is first conveyed to the business, and every opportunity for access to that information, must be considered. Countless business have fallen victim to information theft not as the result of sophisticated hacking, but by a supposedly internal use of such information that is actually accessible to third parties, for instance through a public website or by means of a scam artist making phony requests that is not recognized as such. This review must be performed on a regular basis, and whenever significant changes to the information management system take place. These analyses should be part of corporate policy, should be in written form, and should be reviewed by counsel. It is also critical that the intended use of the information be disclosed to the customer in clear language, such that there is no confusion as to what information will be kept confidential, and what “confidential” means in the particular circumstances. Again, your counsel can assist you in putting together a privacy policy statement that best suits your company’s needs, and provides the most robust protection in the event of disclosures.

Of course, a privacy policy likely cannot protect a business that falls victim to a phisher or other cyber-criminal. When such attacks occur, a business must be prepared to take aggressive action in locating and prosecuting the attacker, which may be quite difficult in the context of Internet crime. In addition to civil litigation, businesses must be aware of the federal and state law enforcement agencies that can provide assistance in the event of attacks. Just as importantly, businesses must keep abreast of the changing legal requirements with respect to notification of customers about identity theft, and make sure that they are in compliance with the laws on point. Businesses that want to handle identity and information theft most effectively will need to have a set of comprehensive procedures in place, before an attack occurs, that takes into account all of the above aspects of an effective response.


Contact Information

Lance Koonce

Author:
Lance Koonce
New York, New York
(212) 489-8230
LanceKoonce@dwt.com

Other DWT contacts:

Kraig Baker, Seattle, (206) 628-7619, KraigBaker@dwt.com
Thomas R. Burke, San Francisco, (415) 276-6552, ThomasBurke@dwt.com


This Advisory is a publication of the Privacy and Security Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent privacy and security developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2005, Davis Wright Tremaine LLP.

return to Advisory Bulletins main page