The Changing Face of Online Fraud

By Tom Schmidt

Not that long ago, some officials were declaring the war against spam all but won. The Federal Trade Commission as recently as December 2006 published a "state of spam" report, citing research indicating that spam had leveled off or even dropped during the previous year.

But lately there have been disturbing signs that spam is staging a comeback -- and becoming more widespread than ever. In fact, some reports suggest there is twice as much spam circulating today as a year ago. What's worse, researchers attribute this resurgence in unwanted email to so-called "image spam" that is often tied to fraudulent penny stock schemes.

As this article will show, online fraud continues to evolve at a steady pace, forcing enterprises to be increasingly vigilant about this cyber menace.

Beware of 'pump and dump' schemes
The rise of image spam shows once more that, when traditional methods fail, spammers and fraudsters turn to more sophisticated techniques. Image spam, by using pictures instead of words, can evade filters set up to detect text-based ads. Concentrated stock spamming has the ability to send share prices of penny stocks soaring.

As John Reed Stark, chief of the Securities and Exchange Commission's Office of Internet Enforcement, told MSNBC's Red Tape Chronicles blog, attempts to manipulate stock prices through email are nothing new.  The SEC has prosecuted some spam "pump and dumpers" and suspended trading in firms after it discovered a spam campaign. But the agency can hardly keep up with the millions of stock spams that are proliferating today.

Red Tape Chronicles' Bob Sullivan writes:  "Stock spam is effective because no Web link is required. In old-fashioned spam, criminals generally try to trick recipients into clicking on a link and buying something. Many email programs now block direct Web links from emails, rendering click-dependent spam much less effective. But stock messages merely have to make the recipient curious enough about a company to motivate him or her to buy a few shares through a broker."

 The monthly percentage of spam dedicated to touting stocks varies between 20% and 40%, reports suggest.

One way companies combat image spam is by turning off all images arriving in inboxes. But this can be an extreme measure, as it bars harmless pictures as well. The best defense may be the delete key -- and a heavy dose of skepticism  when investing based on anonymous tips. As the SEC's Stark told Red Tape Chronicles: "Never invest based on spam."

A plethora of phishing threats
Spammers aren't the only ones evolving their practices to entice the unwary. Phishers are also adding new variants to their list of scamming tricks -- and doing so in record numbers.

New figures released by Netcraft in January show that the number of phishing URLs soared in 2006. Perhaps most alarming is that almost half the total came in a single month -- December.

According to the company, which monitors the incidence of phishing sites through its browser toolbar, the number of phishing sites rose from 41,000 in 2005 to 609,000 in 2006. Of these, 277,000 unique URLs were detected in December alone, with 457,000 cumulatively in the last three months of the year.

Netcraft attributes this sudden rise to the availability of phishing-creation kits, known collectively as "Rockfish" (or "R11"), which automate the rapid creation of scam Web sites. These tools allow sophisticated domain management, including webs of sub-domains, as part of the battle to overwhelm anti-phishing systems with vast numbers of short-lived sites that are impossible to keep tabs on or block.

Researchers speculate that this sharp increase may also be a result of attempts by attackers to bypass filtering technologies by creating multiple randomized messages. These messages attempt to phish the same brands, but include slight variances -- such as variations in the URLs included in the phishing message -- in order to bypass the use of basic email scanning techniques.

Traditionally, phishing has used a combination of spam, spyware and bogus Web sites to lure unsuspecting victims into entering their credit card and bank account numbers into computer systems. In the latest variation on this scam, so-called "vishing" attacks bring voice systems into play.

Posing as a legitimate organization, a visher typically sends an email directing the recipient to place a phone call to a toll-free number to clear up an alleged problem with an account. Users who dial the specified number are then directed by an automated voice system to enter their account number and PIN on the phone keypad. The result: the scammer has gained access to the user's personal data.

Stay protected
Clearly, with scammers employing increasingly sophisticated spamming and phishing techniques, data protection needs to extend beyond the reach of traditional anti-virus products. Fortunately, the latest security products now integrate protection not just from viruses and worms, but also from spam, spyware and other malware.

For today's enterprises, such techniques are essential because phishers in 2006 demonstrated that they really mean business. Their attacks have become more frequent, more varied, and quite frankly, more innovative. At the same time, none of this is new. Attackers are constantly adapting their approaches to increase their success rate.

Evasive, stealthy, and aggressive Internet threats are on the rise, and the speed of a security vendor alone isn't enough. It's a security vendor's ability to catch tough, tricky threats in a timely manner that really counts.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.