| 
PHISHING IN POISONED WATERS:
The Escalation of Identity and Information Theft
By Lance
Koonce
[May 2005]
In recent weeks, several major incidents of identity theft
have made headlines, compromising the personal data of hundreds
of thousands of consumers. Although these attacks are shocking
with respect to both their scale and sophistication, they may
be merely an indication of things to come, as cyber-criminals
continue to upgrade their technological ability and coordinate
their actions.
First, a brief review of the recent incidents:
- April 15, 2005: HSBC North America begins notifying some
180,000 customers with HSBC General Motors-branded Mastercards
that their personal information had been comprised in a security
breach related to a transaction with a U.S.-based retailer,
which new reports have identified as Polo Ralph Lauren.
- April 14, 2005: Indian police arrest 16 employees of an
Indian customer support outsourcing company in connection
with the fraudulent transfer of more than $400,000 from Citibank
customer accounts to bogus accounts in India. The 16 arrestees
had stolen personal identification numbers from Citibank customers.
- April 12, 2005: Reed Elsevier PLC, owner of LexisNexis,
updates an earlier announcement that data for approximately
32,000 of its customers has been accessed by unauthorized
parties, by increasing the estimate to 310,000 customers.
In this instance, the identity thieves acquired passwords
on numerous occasions over two years and may have accessed
information such as social security numbers and driver's license
information.
- March 2005: DSW Shoe Warehouse discloses that information
for over 100,000 customers has been compromised by a security
breach of the company's database.
- February 2005: ChoicePoint Inc. announces that cyber thieves
have stolen data of 145,000 consumers nationwide.
- According to British Internet security company Netcraft,
in the past four months, the websites of Citizens Bank, Visa,
MasterCard and SunTrust have been hacked by phishers in order
to redirect users to fake sites. All of these institutions
quickly fixed the problem once the intrusion was identified.
While identity theft is a concern for all consumers, these
recent examples demonstrate that the effects of such attacks
can be devastating for businesses. The scope of these attacks
also indicates that it is imperative that businesses which store
customer data in electronic form must have in place the most
up-to-date technological protection at their disposal, with
multiple safeguards, and must also have a systematic business
and legal response to all cyber-attacks, with the goal of aggressively
identifying and prosecuting offenders. While a number of legislative
solutions have been proposed to address ID theft issues (some
of which would place an extra burden on businesses, requiring
them to disclose any such thefts to customers), currently the
corporate victim of information theft must rely on self-help
and existing laws that are not specifically designed to address
such violations.
The above examples of identity theft apparently each involved
different methods of accessing sensitive data. Below, we discuss
several schemes that are proliferating on the Internet about
which both individuals and companies should be aware.
Phishing. Phishing is a well-publicized cyber
crime that involves scam artists sending out bogus emails disguised
as official emails from a financial institution or any website
where a user might store financial data like a credit card number.
The email “bait” incorporates images and text from
the official website and typically directs the user to a website
that imitates the authentic website, in order to trick the user
into entering a password, social security number or any other
information worth stealing.
Phishing is no longer limited to phony emails. Internet criminals
have gone to great lengths to ensnare innocent victims in their
ever-expanding nets. “Bogus Blogs,” for example,
are malicious web logs that can be posted on legitimate host
sites. These blogs may contain harmful code that can infect
a user’s computer with a virus that steals information
or causes a user to visit a bogus site created to steal information.
Similar attacks now appear in the form of instant messages as
well.
Organized crime rings, many of which operate out of remote
areas in the former Soviet bloc and the Eastern bloc, have coordinated
large-scale phishing attacks targeting businesses of all sizes.
Although phishing scams were once, for the most part, crude
and easily identifiable, professional criminals are now infiltrating
cyberspace with more sophisticated and organized efforts to
target vulnerable businesses and users.
Pharming. A variation of phishing that has
recently gained popularity among more highly skilled Internet
thieves is “pharming.” A pharmer sends out email
messages that have virus attachments. The virus is planted onto
the user’s computer, and when the user attempts to log
onto an official website, the program redirects the user to
a bogus, but authentic-looking website. When the user enters
a password or any other personal data, that information is stolen.
Another form of the virus will actually track a user’s
keystrokes on a real website and record information for the
pharmer to later exploit.
DNS Poisoning. Another variation of pharming
is called “DNS Poisoning.” When a user types a name
into the web browser’s address bar, a Domain Name System
server reads the name, finds the corresponding numeric address
and directs the user to the official website. In a DNS Poisoning
scheme, a hacker will alter a company’s IP address on
a domain server so that when a user enters the correct web address,
the server will direct the user to a different address that
contains a bogus website, built to steal passwords and other
data.
Cross-Site-Scripting. More and more scam artists
have also begun to add malicious code or programs onto legitimate
sites, in a scheme called “Cross-Site-Scripting.”
When an innocent web surfer encounters this malicious code (which
can appear, for example, as a mere hyperlink) the surfer may
be redirected to a bogus website designed to steal information.
The unauthorized code may also be used to perform other harmful
acts to the innocent surfer, such as manipulating or stealing
files on the surfer’s computer.
Wi-Fi Phishing. An innocent user who uses
a wireless connection to the Internet may also be vulnerable
to a separate type of attack. In a scam known as “Wi-Fi
Phishing,” a cyber criminal misdirects wireless connections
to phony websites that imitate legitimate sites. Wi-Fi Networks
also make it relatively easy for criminals to log onto a neighbor’s
network and perform misdeeds that could later be attributed
to the person broadcasting the network signal.
How to Protect Yourself (and Your Customers). Monitoring
and constantly updating your systems with the most recent technology
is a critical first step to defend against the latest cyber-attack.
But even with the best defensive systems, businesses likely
must accept the fact that they will continue to be vulnerable
as the technology being used in those attacks continues to evolve.
It is therefore equally important for businesses to understand
their legal responsibilities to customers and clients, as well
as the legal strategies available to combat identity theft,
from both a preventative and a response-oriented perspective.
Before an attack ever occurs, it is crucial that businesses
undertake an exhaustive analysis of the manner in which customer
information is received, stored, accessed, used and –
eventually – purged. Literally every aspect of the transactions
in which the information is first conveyed to the business,
and every opportunity for access to that information, must be
considered. Countless business have fallen victim to information
theft not as the result of sophisticated hacking, but by a supposedly
internal use of such information that is actually accessible
to third parties, for instance through a public website or by
means of a scam artist making phony requests that is not recognized
as such. This review must be performed on a regular basis, and
whenever significant changes to the information management system
take place. These analyses should be part of corporate policy,
should be in written form, and should be reviewed by counsel.
It is also critical that the intended use of the information
be disclosed to the customer in clear language, such that there
is no confusion as to what information will be kept confidential,
and what “confidential” means in the particular
circumstances. Again, your counsel can assist you in putting
together a privacy policy statement that best suits your company’s
needs, and provides the most robust protection in the event
of disclosures.
Of course, a privacy policy likely cannot protect a business
that falls victim to a phisher or other cyber-criminal. When
such attacks occur, a business must be prepared to take aggressive
action in locating and prosecuting the attacker, which may be
quite difficult in the context of Internet crime. In addition
to civil litigation, businesses must be aware of the federal
and state law enforcement agencies that can provide assistance
in the event of attacks. Just as importantly, businesses must
keep abreast of the changing legal requirements with respect
to notification of customers about identity theft, and make
sure that they are in compliance with the laws on point. Businesses
that want to handle identity and information theft most effectively
will need to have a set of comprehensive procedures in place,
before an attack occurs, that takes into account all of the
above aspects of an effective response.
Contact Information
Other DWT contacts:
Kraig
Baker, Seattle, (206) 628-7619, KraigBaker@dwt.com
Thomas
R. Burke, San Francisco, (415) 276-6552, ThomasBurke@dwt.com
This Advisory is a publication
of the Privacy and Security Group of Davis Wright Tremaine LLP.
Our purpose in publishing this Advisory is to inform our clients
and friends of recent privacy and security developments. It
is not intended, nor should it be used, as a substitute for
specific legal advice as legal counsel may only be given in
response to inquiries regarding particular situations.
Copyright © 2005, Davis Wright
Tremaine LLP.
return to Advisory
Bulletins main page
|
