A worldwide net

How do you catch a phisher? Net-savvy law-enforcement officials can wade into the code on a spoofed Web site and spot the e-mail address that's collecting user names and passwords. With the help of ISPs, it's possible to trace the owner of the e-mail account or spoofed Web site. Joseph Yuhasz, the FBI agent who pursued Helen Carr, traced the ownership of her site to an address in Jeannette, Pa., where a convicted conspirator worked from his home, and then to the owner of a linked e-mail account in Sparta, Mich. The owner of that account, an alleged conspirator in the scheme, led the agent to Carr.

But phishing across borders is harder to trace. In Eastern Europe and especially in the former Soviet republics, organized criminal groups are perfecting phishing with breathtaking speed. Not only have the pitches become more convincing (the spelling and grammatical errors that belied early phishing e-mails are less frequent, for instance), but the technology used to trap your account numbers and passwords has grown viciously sophisticated.

One recent scheme told bank customers that large withdrawals had been made from their accounts and provided a link to the bank's Web site. Clicking the link installed a program (known as a Trojan horse) that remained dormant on victims' computers until they logged on to any of about 50 financial Web sites, including Citibank, American Express and E*Trade. Then the program sprang into action, capturing victims' keystrokes when they entered their user name and password, and forwarding the information to a thief in waiting. Another virus remains dormant until you go to a legitimate online-banking site, then generates a pop-up window that asks for your account number and password.

Key-logging software has also evidently made its way into phishing kits. Papierniak's e-mails included an attached program that he called a "security update" from PayPal. It was a key logger that sent user names and passwords back to Papierniak.

At first, professional phishers mass-mailed their messages, knowing that so many people are Citibank, U.S. Bank, eBay and PayPal customers that a few were bound to get snared. Now they're target marketing -- compiling lists of people who've nibbled at phishing e-mails in the past. Even if you stop short of entering personal information in a fake Citibank e-mail, for instance, just clicking on the link provided can get you "tagged" as a probable Citibank customer and make you a target for future Citibank spoofs.

What's more, a feverish black-market trade goes on in account numbers and identifiers gathered via phishing. "Criminals have created entire dossiers, not dissimilar to the way legitimate marketers work," says Ponemon. Then they openly sell the data in chat rooms and sometimes on Web sites. Several such Web sites, with names like Shadowcrew, Carderplanet and Darkprofits, were shut down last fall in a crackdown called Operation Firewall that involved the U.S. Secret Service, the Royal Canadian Mounted Police, Europol and other authorities. More than 1.7 million stolen credit-card numbers -- plus debit-card numbers, bank-account numbers, and fake driver's licenses and passports -- were traded on the Web sites. Arrests were made in Argentina, Belarus, Bulgaria, Canada, Sweden and the U.K., and investigations continue in Estonia, Poland, Russia and Ukraine, according to the Secret Service.

Other international fraud bazaars have surely sprung up. And although the FBI and Secret Service have begun to work with law-enforcement groups abroad, professional phishers are good at covering their tracks. "After you've ID'd them, you might have 24 hours to put the cuffs on them," Ponemon says. "Then they create another alias."

MORE: Kiplinger.com | Your Money | Magazine

TOOLS:   E-Mail Article  |  Print Article  |  Reprint Article  |  Content Licensing & Partnerships

E-MAIL ALERTS: Keep up-to-date with the latest Kiplinger has to offer

SAVE, SHARE & DISCUSS:    |   |   |   |   |    

ADD HEADLINES: