Phishing

Phishing Tales: Honestly, the problem is ‘this big’

Peter Black, Queensland University of Technology

p2.black@qut.edu.au

http://freedomtodiffer.typepad.com/

Outline

1. Phishing explained

 Definition

 Case studies

 Why the ‘ph’?

2. Growth of phishing

3. Australian legislation

4. US position

5. Difficulties with a legislative response

6. Other methods of combating phishing

1. Phishing explained

 Phishing is the creation and use of e-mails

and websites in order to deceive internet

users into disclosing their bank and financial

account information or other personal data.



 Once this information is obtained, it then

used to commit fraudulent acts.

Case study: Westpac









 Source: Anti-Phishing Working Group



Case study: Westpac









 Source: Anti-Phishing Working Group



Case study: Westpac









 Source: Anti-Phishing Working Group



Other targets: Internet services









 Source: Anti-Phishing Working Group



Other targets: Internet services









 Source: Anti-Phishing Working Group



Other targets: Online commerce sites









 Source: Anti-Phishing Working Group



Other targets: Online commerce sites









 Source: Anti-Phishing Working Group



Other targets: Online commerce sites









 Source: Anti-Phishing Working Group



Other targets: Search engines









 Source: millersmiles.co.uk: the web’s dedicated anti-phishing service



Charities: United Way









 Source: millersmiles.co.uk: the web’s dedicated anti-phishing service



Why phishing with a ‘ph’?

 The word ‘phishing’ is derived from the

analogy that internet scammers use email

lures to ‘fish’ for passwords and financial

information from the ‘sea’ of internet users.



 The term was first used in 1996 by hackers

attempting to steal America On-line (AOL)

accounts.

2. Growth of phishing









 Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006



Phishing sites hosting countries









 Source: Anti-Phishing Working Group: Phishing Activity Trends Report May 2006



Economic impact of phishing

 The dollar damage from phishing is substantial.



 Estimates of the loss to the consumer and online

commerce being between:

 $500 million a year (Ponemon Institute 2004); and

 $2.4 billion in 2003 (Gartner 2004).



 Phishing also exacts a significant toll on individual

consumers.

 See Jennifer Lynch, ‘Identity Theft in Cyberspace: Crime

Control Methods and Their Effectiveness in Combating

Phishing Attacks’(2005) 20 Berkeley Technology Law

Journal 259 at 266-67.

3. Australian legislation

 Phishing could be criminally prosecuted under state

legislation that deals with identity theft and fraud:

 Crimes Act 1958 (Vic): obtaining property by deception

(s 81(1)), and obtaining financial advantage by deception

(s 82);

 Crimes Act 1900 (NSW): obtaining money by deception

(s 178BA), obtaining money by false or misleading

statements (s 178BB), obtaining credit by fraud (s 178C),

false pretences (s 179), and fraudulent personation

(s 184);

 Criminal Code 1899 (Qld): misappropriation (s 408C);

 Criminal Code (WA): fraud (s 409(1));

Australian legislation

continued …

 Criminal Code Act 1924 (Tas): dishonestly acquiring a

financial advantage (s 252A(1)), and inserting false

information on data (s 257E);

 Criminal Code 2002 (ACT): obtaining financial advantage

by deception (s 332), and general dishonesty (s 333);

 Criminal Code (NT): criminal deception (s 227);

 Criminal Law Consolidation Act 1935 (SA): false identity

(s 144B), and misuse of personal identification

information (s 144C).

Criminal Code Act 1995 (Cth)

 Part 10.8 of the Criminal Code Act, s 480.4

provides:



A person is guilty of an offence if the person:

a) dishonestly obtains, or deals in, personal

financial information; and

b) obtains, or deals in, that information without

the consent of the person to whom the

information relates.

Penalty: Imprisonment for 5 years.

Other relevant Commonwealth legislation



1. Spam Act 2003 (Cth);



2. Trade Practices Act 1974 (Cth);



3. Privacy Act 1988 (Cth);



4. Trade Marks Act 1995 (Cth).

4. US Position

 Federal offences:

1. Identity theft (18 U.S.C. 1028 (2000));

2. Wire fraud (18 U.S.C. 1343 (2000 & Supp. II 2002));

3. Access device fraud (18 U.S.C. 1029 (2002));

4. Bank fraud (18 U.S.C. 1344 (2000)).





 Internet users are also protected by the:

 Truth in Lending Act (15 U.S.C. 1643(a)(1) (2000)); and

 Gramm-Leach-Bailey Act (15 U.S.C. 6821(b) (2000)).

US Position

 The Identity Theft Penalty Enchancement Act,

enacted in 2004, established a new crime of

‘aggravated identity theft’ – using a stolen identity

to commit other crimes.



 Most states have criminal and consumer

protection laws that deal with identity theft.



 Controlling the Assault of Non-Solicited

Pornography and Marketing Act (CAN-SPAM Act),

enacted in 2003.

Anti-Phishing Act of 2005

 Anti-Phishing Act of 2005, a bill to create two new

crimes that prohibit the creation or procurement

of:

1. a website that represents itself to be that of a legitimate

business, and that attempts to induce the victim to

divulge personal information, with the intent to commit a

crime of fraud or identity theft.

2. an email that represents itself to be that of a legitimate

business, and that attempts to induce the victim to

divulge personal information, with the intent to commit a

crime of fraud or identity theft.

5. Difficulties with a legislative response

1. Phishing is difficult to deter as the normal barriers

to offline crime do not apply.



2. Phishers are able to appear and disappear

remarkably quickly, making their identification and

prosecution difficult.



3. Jurisdictional issues.



4. Phishers are often found to be judgment proof.

6. Other methods of combating phishing



 Information security technology solutions:

1. Strong website authentication;

2. Mail server authentication,;

3. Digital signatures and/or gateway verification.





 Internet users should also use spam filters

on email, anti-virus software and personal

firewalls.

6. Other methods of combating phishing



 Internet users should look for signs that the

email they have received is a phishing email:

 deceptive addresses;

 emails addressed to a generic name rather than

a username;

 unsuspected requests for personal information;

 alarmist warnings;

 mistakes.

Conclusion

 Issue:

legislation

vs

technology



 Professor Lawrence Lessig has argued that

architecture or ‘code’ is better than traditional law in

cyberspace because law regulates ‘through the

threat of ex post sanction, while code, in

constructing a social world, regulates immediately’.

 Lawrence Lessig, ‘The Constitution of Code: Limitations

on Choice-Based Critiques of Cyberspace Regulation’, 5

CommLaw Conspectus 181, 184 (1997).

Conclusion



 As we wait for technological improvements,

companies and consumers need to be aware

of the phishing threat and use existing

technology and common sense to reduce the

instances of successful phishing attacks.



 If companies and consumers fail to respond,

phishing will have caught us hook, line and

sinker.

Creative Commons License





This work is licensed under the Creative

Commons Attribution-NonCommercial-

ShareAlike 2.5 Australia License. To view a copy of this

license, visit http://creativecommons.org/licenses/by-nc-

sa/2.5/au/ or send a letter to Creative Commons, 543

Howard Street, 5th Floor, San Francisco, California, 94105,

USA.