Online KMWorld CRM Media, LLC Streaming Media Inc Faulkner Speech Technology
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research



Magazines > Searcher > October 2007
Back Index Forward
 




SUBSCRIBE NOW!
Vol. 15 No. 9 — October 2007
FEATURE
Phish Pharming
A Newer, More Profitable Aquaculture

by Paul S. Piper
Librarian, Western Washington University


Protect Yourself!!

Watch out for any sense of desperation in email messages from institutions. Avoid reacting out of fear or panic. A quick call to the institution can usually validate or invalidate any problem.

Look for any misspellings or obvious errors in the text of the email message or the URL. With many of these scams generated overseas in non-English-speaking environments, errors of this type are quite common.

Never click links in an email message purporting to come from a financial institution or a business with which you may share security interests. If you think the message might be valid, open your Internet Browser and go directly to the institution to check your account for any problems. Or, call them.

Choose different passwords for different accounts . One friend ingeniously uses the first item purchased at each ecommerce site. For financial institutions, use something unconnected to personal information that a hacker might find. How about your favorite cheese spelled backwards?

If you have questions regarding the authority of any emails, check with a local librarian. Librarians are service-oriented and typically up-to-date on Internet scams and hoaxes. They will be more than happy to assist you in problems of this nature. Oops! You are the librarian? Well, now you can help your patrons stay as safe as you are.
Sometime back I received an email from Bank of America (BOA). The message said that there had been an usual number of failed attempts to access my account and they recommended that I log in and change my login and password. Without giving it too much thought, I clicked the link provided, which took me to a Bank of America Web page that featured a login. But here I paused. Call it natural wariness, but I’d heard about scams of this nature. Even though everything looked on the up-and-up, I decided to call my local Bank of America and speak to someone about the matter. After a few holds and re-directs, I was finally connected to a branch manager who informed me that Bank of America never sends emails of this nature. He urged me to send the email to its fraud center, which I did, but before I did, I examined it again. I could find absolutely nothing about the logo, design, format, even the URLs to tip me off that the message was fraudulent. Only my natural skepticism had protected me.

A few weeks ago before the idea for this article had fully hatched I heard an NPR report on Morning Edition 1 about a similar experience. In this report, Scott London, an attorney in Santa Barbara, a man who calls himself “Internet savvy,” fell victim. This time it was an email from PayPal that came shortly after an eBay purchase. The email directed him to a Web site that looked identical to the authentic PayPal site. Here London put in his password, only to realize, after money began disappearing from several of his accounts over the next few days, that something was wrong.

While emails are the phishing venue of choice, scamsters also utilize listservs, mail groups, and social networking sites such as MySpace. Oddly enough, many people involved in phishing scams do not use the personal information they harvest themselves. They sell it. Symantec stated, in an article by MSNBC’s columnist Herb Weisbaum, 2 that active debit or credit card accounts currently trade from $1 to $6, while a stolen identity (bank account information, date of birth, Social Security Number, etc.) sells for $14 to $18. The information is traded like commodities on underground marketplaces. It also reports, to no one’s real surprise, that home computers are the prime target, garnering 93 percent of targeted attacks. Symantec’s Internet Security Threat 3 [http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport] reports that its security software blocked 8.5 million phishing messages a day in the last half of 2006, an increase of almost 20 percent over the first half of the year. In addition, it counted more than 160,000 unique phishing messages, an average of 904 new ones per day.

According to Avivah Litan, 4 a research director with the IT company Gartner, phishing cost the U.S. economy $929 million in 2005 with the cost expected to rise dramatically.

A Brief History

Phishing is an attempt — typically using email or Internet social spaces such as MySpace — to obtain sensitive personal information such as usernames and passwords, Social Security Numbers, credit-card numbers, and so forth. According to Wikipedia [http://www.wikipedia.org], the first documented mention and use of the word phishing appeared on an AOL Usenet Group on Jan. 2, 1996, or it may have appeared earlier in the hacker magazine 2600. Early AOL phishing typically involved creating bogus AOL accounts or pirating existing accounts for the purpose of distributing pirated software. For the latter, the mechanism was a familiar one. The attacker would send an email, purportedly from AOL, to an authenticated AOL user asking them to verify account information. Once the user did this, the attacker could gain access to the user’s account.

The transition from AOL to financial institutions seemed to crystallize with an attack on E-gold during June 2001, followed by a rash of post 9/11 scams, many asking for ID checks and account verification. While many of these attempts were relatively unsuccessful, it was certainly a trial-and-error period; by 2004, phishing had become a full-fledged international, highly lucrative, criminal activity.

Below is an example of an early phishing email used with permission from http://www.privacyrights.org:

Subject: eBay Account Verification
Date: Fri, 20 Jun 2003 07:38:39 -0700
From: “eBay” <accounts@ebay.com>
Reply-To: accounts@ebay.com

To:

Dear eBay member,

As part of our continuing commitment to protect your account and to reduce the instance of fraud on our Website, we are undertaking a period review of our member accounts.

You are requested to visit our site by following the link given below:

http://arribba.cgi3.ebay.com/aw-cgi/ebayISAPI.dll?UpdateInformationConfirm&bpuser=1

Please fill in the required information.

This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the eBay Experience.

Thank you

Accounts Management

As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions.

Copyright © 1995-2003 eBay Inc. All Rights Reserved.

Designated trademarks and brands are the property of their respective owners.

Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.

How?

While phishers use a variety of techniques, most of them share a basic approach, using counterfeit emails that mimic the look of valid institutions (everything from PayPal to the IRS) and attempt to direct the recipient to a specific URL which, by several methods, gleans personal information from the email recipient. Perhaps the most pernicious aspect of phishing is that it manipulates a person’s sense of trust, confidence, and security for two reasons: Phishers counterfeit emails and other correspondence from reputable and legitimate companies, while, quite literally, invading the security and comfort of one’s own home, study, or office. These are the places we feel most secure and least likely to be attacked.

Link Manipulation

This early phishing technique involves using a fake URL to send the victim to a counterfeit Web site. Primarily, this approach uses subtle misspellings in the URL, such as www.bankofanerica.com or uses subdomains. Subdomains are URLs that include the authentic URL as a subdomain, for example www.bankofamerica.com.finance.com. Other methods involve using an @ sign in the URL (such as www.bankofamerica.com@investigativebranch.com) or maybe non-U.S. Internationalized Domain Names (IDNs), such as www.bankofamerica.kn. None of these URLs will send the victim to the authentic Bank of America Web site, but rather to a counterfeit site that looks like an authentic Bank of America site:

I’ve reprinted it below since it’s difficult to read:

From: SERVICE@capitalone.com [mailto:”Capital OneBank, CapitalOne, F.S.B”]
Sent: Tuesday, March 13, 2007 8:50 AM
To: undisclosed-recipients:
Subject: Notification From: Capital One Bank, Capital One, F.S.B
Importance: High

Dear Capital One Bank, Capital One, F.S.B., Member,

Because of unusual number of invalid login attempts on your account, we had to believe that, their might be some security problem on you account. So we have decided to put an extra verification process to ensure your identity and your account security. Please click the link bellow:

https://service.capitalone.com/oas/login.do?objectclicked=LoginSplashID=?COB

It is all about your security. Thank you. And visit the customer service section.

Capital One Bank, Capital One, F.S.B., members FDIC. 2007 Capital One Services, Inc.

Capital One is a federally registered service mark. All rights reserved.

Capital One ID: COB495886838

I asked Dmitri Alperovitch 5 of SecureComputing [http://www.securecomputing.com] to comment on this email. Here is his response:

“This is a typical phishing email. The URL that is displayed to the user shows a legitimate link to the bank Web site (in this case Capital One). However, the actual URL that a user will be directed to when they click on it is http://218.64.70.24:8080/oas.service.capitalone.com/login.doobjectclickedLoginSplash.htm. In this case, the phishing site is hosted on a server in Nanchang, China.”

Also, note the misspellings throughout the piece, e.g., the spelling of the word “below”: “Please click the link bellow.” Life continues to be in the details.

Like the Universal Man-in-the-Middle phishing kit discussed below, the Rock Phish toolkit made its way into circulation in late 2005 and is still one of the most popular phishing kits. Rock Phish, like virus-making kits, is designed for use by individuals with minimal technical know-how. The kit allows a single Web site with multiple DNS names to host a variety of phishing Web pages. You can identify these kits by the pattern in their URL: http://{ domain name} /r1/{ letter} Where the letter is usually the first letter of the bank or company.

Counterfeit Pages

Counterfeit pages are another common device in phishing scams. In a nutshell, these pages mimic the look, feel, and functionality of genuine pages. Scammers are incredibly effective at creating these pages, even going so far as to use JavaScript to alter the address bar so the URL looks authentic. Another example of counterfeit pages used in phishing scams employs what is called cross-site scripting. Acunetix, a Web security company, carries information about this phenomenon 6 and defines cross-site scripting (CSS or XSS) as “a hacking technique that leverages vulnerabilities in the code of a Web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.” Pure HTML code is relatively stable and has little dynamic vulnerability, but most sophisticated Web sites contain scripting language that interacts with a Web browser in a number of ways. Hackers and scammers can maliciously manipulate and infect this code (JavaScript, VBScript, ActiveX, HTML, or Flash) to harvest personal information. To an end user, it appears that one is interacting with an authentic Web site, which is true, only the site has been compromised. Netcraft initially reported a major attack of this kind involving the Internet company PayPal. 7 A user visiting the fake PayPal Web site saw a message inserted into the genuine PayPal site. The message read: “Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center.” The user was then redirected to an external server that presented a counterfeit PayPal Member log-in page.

Man in the Middle

The man-in-the middle (MTIM) method is one of the most effective, state-of-the-art, and also scariest of all phishing techniques. Using this method, scam artists do not have to counterfeit authentic Web pages, they proxy themselves between the customer and the authentic Web page. From this vantage point, they can observe and record any transaction they wish. This form of attack works with both HTTP and HTTPS communications. For this attack to work, the customer must be directed to the proxy server instead of the real server. This is done invisibly to the user.

These attacks work on local area network communication, local to remote (via a gateway) communication, and remote communications. There are several methodologies, such as ARP poisoning (Ethernet attack allowing attacker to find data on a LAN), DNS spoofing (making a DNS entry point to a different IP), and so forth, but the two techniques most widely used by MTIM fraudsters are probably the transparent proxy and DNS poisoning attacks. I’ll explain these in a minute, but first let’s examine the scam from the customer’s perspective.

You receive an email telling you that Chase Manhattan is upgrading their computer system and they “lost” some of your personal information. The email asks you to go to the institution’s Web page and re-enter your personal information, which includes name, address, phone number, Social Security Number, and authentication questions and answers. The email uses Chase Manhattan’s logo, addresses you personally, and looks on the up-and-up. At the bottom of the message, you see a link to the institution [http://www.chase.com]. You are cautious, however, and half-expect the Web site behind the link to be fraudulent. It’s not. You read the information, follow links, perhaps even open another browser window and compare the two pages. It checks out. So you log in to update your personal information. Oops.

This system works by passing user information through a fraudulent URL, a proxy server behind the stated link. The user doesn’t know they are interacting with the authentic Chase site via a proxy server, a man-in-the-middle, invisible to them. Meanwhile however, the proxy server is intercepting all the information and data submitted to a target site in real time. The scamster now owns any and all information you’ve transmitted.

There is a product called the Universal Man-in-the-Middle Phishing Kit that allows a scam artist to relatively effortless construct one of these scams. It was discovered by the anti-fraud unit of RSA [http://www.rsa.com], the security division of EMC [http://www.emc.com], as a free trial on one of the online fraudster forums monitored by RSA. The kit is called “universal” because it can be easily configured to “import” pages from any target page.

Spear Phishing

Spear phishing is a targeted phishing scam. Many phishing scams rely on bulk spam emails sent out en masse. Spear phishing targets people who have an affiliation with a specific institution. For example, if you bank with Bank of America, you are not typically going to respond to an email from the Whatcom Educational Credit Union. However an email from Bank of America might pique your interest, particularly if it seemed to contain some personal information. One method of obtaining this information is to examine a potential victim’s browsing history. This can be done in several ways. In a fascinating article, Timing Attacks on Web Privacy: Paper and Specific Issue, 8 authors Felten and Schneider outline a method by which an attacking server detects what pages users visit. By fetching a URL from the target server and measuring the time it takes, this theoretically tells the fraudster if a browser’s local cache had the URL on file. If there are several financial institutions in there, it’s a safe bet that there might be some connection between the user and those institutions. This paper mentions other methods, including the examination and manipulation of cascading style sheets, malicious cookies, and other types of spyware, malware, and malicious sites that surreptitiously harvest browsing habits.

Spear phishing is also called “context aware” phishing, a phrase coined by Marcus Jakobsson in a paper entitled “Modeling and Preventing Phishing Attacks.” 9 In this article, Jakobsson demonstrates context aware phishing thusly: “A context aware attack is mounted using messages that somehow — from their context — are expected (or even welcomed) by the victim. To draw a parallel from the physical world, most current phishing attacks can be described as somebody who knocks on your door and says you have a problem with your phone, and that if you let him in, he will repair it. A context aware phishing attack, on the other hand, can be described by somebody who first cuts your phone lines, waits for you to contact the phone company to ask them to come and fix the problem, and then knocks on your door and says he is from the phone company. We can see that observing or manipulating the context allows an attacker to make his victim lower his guard.”

Where?

The origin of many phishing and other computer attacks stems from outside the U.S., though many control zombie computers and networks within the U.S. Small businesses and personal computers are the key targets. A zombie computer or network is a computer or network that has been taken over by other computers or networks, usually for malicious ends. According to Dave Jevans of the Anti-Phishing Working Group, 10 40–50 zombie networks are responsible for most of the phishing attacks in the world. A zombie computer or network are taken over by other computers or networks, usually for malicious ends. Symantec gives a different figure, or perhaps a different angle, claiming some 4,700 control and command servers exist worldwide. 11 These numbers undoubtedly include servers not directly involved in phishing. Symantec also estimates that there are more than 6 million bot-infected computers worldwide, many incorporated into networks. Whatever the numbers, and however the numbers are interpreted, it is clear that this level of organization represents significant and lucrative criminal activity. Marshal Corporation hosts a Web site [http://www.marshal.com/trace/phishing_statistics.asp] that graphs the country of origin for phishing attacks.

Pharming

Pharming is typically used in conjunction with phishing and the name itself is a combination of farming and phishing. Pharming allows a fraudster to redirect a Web site’s traffic to another (usually counterfeit) Web site. There are two primary mechanisms for pharming: altering the host file on the victim’s computer by use of implanted software, such as the Banker Trojan, or exploiting the vulnerability in DNS servers, previously called DNS cache poisoning. Of these, the latter has the potential to give the greatest bang for the buck and do the greatest harm. The net result of either of these is to send traffic intended for one URL, say Bank of America, to a counterfeit BOA site.

To alter a victim’s computer, the typical mechanism sends an email containing malware or passing malware through an unsecured Web site. Once on the victim’s computer, it can alter the URLs of various host files. This one-at-a-time approach is similar to phishing. DNS poisoning has far greater consequences. Since it happens at a server level, anyone who attempts to access certain Web pages through that domain server is sent to counterfeit sites. This can affect thousands of users in a short period of time.

Many legitimate business Web sites are attempting to combat pharming by using Pharming Conscious, or PhC, Web pages. These pages typically use an HTTPS Web protocol. If a Web page attempts to counterfeit a PhC Web site, the user gets a dialog box from the browser indicating that the Web site’s “certificate” doesn’t match the address visited. The user is then asked to click “Yes” to continue, a move that has potentially dangerous consequences. Several Web sites give in-depth, technical information on pharming, among them Pharming.org [http://www.pharming.org/index.jsp] and Wikipedia.

What Is Being Done?

Several groups are actively involved in monitoring phishing and related scamming methodologies. One of the most notable is the Anti-Phishing Working Group (APWG) [http://www.antiphishing.org]. The APWG is an international group dedicated to the reporting and eradication of phishing. The more than 2,600 members include 1,600-plus companies and agencies worldwide, eight of the top 10 U.S. banks, four of the top five U.S. ISPs, hundreds of technology vendors, and national and provincial law enforcement worldwide. The group sponsors a Web site, a newsletter, a number of reports, working groups and conferences. Its Web site also hosts a repository of phishing examples dating back to September 2003, but only running through 2005. In the December 2006 issue of its monthly report, “Phishing Activity Trends” [http://www.antiphishing.org/reports/apwg_report_december_2006.pdf], it was noted: “The number of recorded crimeware applications saw a major increase of 110 variants in December reaching 340, the greatest number recorded by the APWG — and the largest single-month increase ever recorded by the group.” While I was researching this article, several institutions and individuals steered me to this site.

PhishTank [http://www.phishtank.com] is a free community site where anyone can submit, verify, track, and share phishing information. Sponsored by OpenDNS [http://www.opendns.com], PhishTank attempts to validate submitted scams much the same way Snopes reviews and authenticates urban legends. As of the date of this writing, it had verified 12,096 submissions as authentic out of a total of 109,293 submissions. PhishTank contains perhaps the largest repository of phishing schemes on the Web [http://www.phishtank.com/phish_archive.php], a collection one can search by several criteria including “validated” and “online.” It also hosts a blog that does an excellent job of analyzing statistics, discussing case studies, and highlighting new anti-phishing software.

Stop-Phishing.com [http://www.indiana.edu/~phishing] is a group headed by the aforementioned Markus Jakobsson, a professor of informatics at Indiana University. Research-based, the information provided by this site is technical and future-minded. Jakobsson and his colleague Steven Myers have published a book on phishing entitled Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (Wiley, 2006). This book is a wonderful resource for anyone wanting to look more deeply into the technology and complexity of this field.

Symantec [http://www.symantec.com] issues a biannual and extremely comprehensive report encompassing Internet security. Entitled the Internet Security Threat Report, you can find it at http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport. It makes fascinating reading and is guaranteed to scare the heck out of you.

User Education

The media has begun to turn more attention to phishing and other forms of identity theft. A search in Amazon leads to a number of hits, including Jakobsson’s book. These books span a wide degree of interest and expertise. Discussion groups, blogs, social network sites, and the Web at large are all replete with information. Wikipedia offers a great introduction to both phishing and pharming, with copious citations and links. The problem is that by the time a particular scam is identified, it begins to evolve into something different. Scamsters take advantage of the rapidly mutating technologic gene pool, as well as the dependency of most people on technology. And like all con artists, they manipulate basic human desires and emotions such as greed, fear, anxiety, and pride.

The easiest way to avoid becoming a victim of phishing attacks is to never click on a link in an email from an organization or business, particularly if the information is unsolicited. If you believe that the email has some validity, call the institution where the email purportedly originated and talk to someone.

Bank of America representative Betty Riess 12 told me, “We [Bank of America] do not send unsolicited emails to customers asking them to reply with any personal information, such as SS number or card PIN. In addition, we have an added layer of authentication — called SiteKey — that helps customers confirm that they’re at the legitimate Bank of America site.” SiteKey is a free service at Bank of America; it uses a combination of an image and questions to authenticate both the site and users. She also said that BOA provides “a toolbar that anyone can download from our Web site that helps identify known fraudulent sites.” The toolbar has an icon that turns red, yellow, or green to indicate the validity of the site. Bank of America, like many other corporations, employs security companies to thwart phishing attacks. BOA also hosts online information that details methods, trends, and examples of fraud, as well as security recommendations. For example, Bank of America warns customers to watch for the following fraudulent qualities of emails claiming to come from its organization:

  • Urgent appeals that claim your account may be closed if you fail to confirm, verify, or authenticate your personal information immediately
  • Requests for security information that claim that the bank has lost important security information and needs to update it online
  • Typos and other errors
  • Offers that sound too good to be true

Unfortunately, however, information and safeguards provided by institutions and security companies are not enough. The ultimate responsibility rests on the consumer. Christopher Soghoian 13 demonstrates a simulated attack on SiteKey and related technology on his blog [paranoia.dubfire.net] and claims that, even with this enhanced level of security, it is still possible for a man-in-the-middle attack to fool the user. In the words of Soghoian, graduate student in the School of Informatics at Indiana University, “The necessary feature that enables customers to login from computers that they have not used in the past (a new computer at home, an Internet cafe on vacation, etc.) — after being prompted for the answer to one of their security questions — enables a phisher to prompt the user with her security question, and display her SiteKey image and then steal her login information.” Co-evolution of malicious technologies to exploit safeguards is never-ending.

Technological Safeguards

Many security devices and fixes exist, both for institutions and individuals, but none are foolproof or all-inclusive. The most basic of these are spam-filtering software. Most ISPs have them in place and they work to varying degrees. Some, like Secure Computing’s IronMail, block threats at the gateway, while other solutions aim at blocking them from inside the browser.

Firefox 2, for example, contains Phishing Protection, a feature that warns users of suspected counterfeit Web pages. Phishing Protection is the default in Firefox 2; it works by checking sites against an updated list of known phishing sites. Microsoft’s IE 7 has a similar feature, and Opera 9.1 pulls directly from live lists at PhishTank and GeoTrust.

A number of antiphishing toolbars, such as the popular Netcraft Toolbar, are also available. These typically work by displaying the correct URL (rather than the URL stated in an email for instance) and assigning the page a risk rating.

Software used by corporations and government sites typically attempts to secure authentication, such as Bank of America’s Site Key product discussed above. Other “security skin” technologies rely on passing a user-selected image across the login form. Security companies wage a never-ending battle to monitor transactions, identify fraud, and attempt to track down and prosecute known attackers.

Adding personal security software — antivirus, antimalware, and so forth — also provides a level of security against implanted bots or programs.

Legislation

Patrick Leahy, the Democratic senator from Vermont, introduced the first act to deal specifically with phishing, the Anti-Phishing Act of 2005. It was later referred to the U.S. Senate Committee on the Judiciary, where it died. You can find the text of this bill at http://www.govtrack.us/congress/billtext.xpd?bill=h109-1099. The U.K. followed suit with the Fraud Act of 2006. A number of states have laws against phishing and cybercrime. For the state legislation, try http://www.ncsl.org/programs/lis/phishing06.htm.

Phishers have been prosecuted under a variety of antifraud and antitheft laws since 2004 and have been tracked down by agencies as diverse as the FTC, the FBI, the Secret Service, and policing agencies in Brazil, Japan, the U.K., and many other countries. There is actually a man who has been nicknamed the phishing kingpin. Valdir Paulo de Almeida was arrested in 2005 for the theft of more than $37 million. de Almeida apparently masterminded a scheme to raid bank and financial accounts by embedding a Trojan horse in an email sent to thousands of victims.

Companies such as Microsoft and AOL have also been instrumental in the prosecution of phishing and other forms of cybercrime, particularly by filing lawsuits.

Conclusion

Phishing is a new form of deception, and deception is as old as humankind. Phishing exploits the trust people have in their financial institutions and reputable businesses, as well as the underlying sense of security a person experiences in the safety of their own home or office. It also exploits our emotions, be it fear (your bank account is being compromised), greed (you have been chosen to win a Mexican cruise), or even hubris (I’ve won the lottery!). Phishing is an evolving craft and, while antiphishing information and technology tells us what not to do and gives us software to combat the fraud, new schemes keep on emerging. I asked Dmitri Alperovitch 14 of Secure Computing if he thought phishing was primarily the product of organized crime, rather than solo hackers/crackers. His response was informative. “A great number of phishing attacks these days are indeed perpetrated by sophisticated online organized criminal groups. The masterminds of these groups are now frequently discovered operating in Eastern Europe, the Middle East, Asia, and Latin America due to recent investigative aggressiveness demonstrated by North America and European law-enforcement, but members can be found in nearly every industrialized country.”

The complexity, intelligence, technological expertise, and universality of this problem is vast, as is the amount of money it can and does harvest. Attempts to steal personal identity and/or personal information will only become more sophisticated. While I would wish a gentler, more trusting world on all my readers, I have to end with a maxim used repeatedly by a friend of mine pursuing the Sufic path: “Be ever vigilant,” and as he adds, with an endearing grin, “sucka.”
 

Endnotes

1 Speer, Jack, “Your Money” (Morning Edition), Feb. 15, 2007 [http://www.npr.org/templates/story/story.php?storyId=7416265].

2 Weisbaum, Herb, “Cyber-attacks more aggressive than ever,” MSNBC, March 19, 2007 [http://www.msnbc.msn.com/id/17680243].

3 “Internet Security Threat Report,” Symantec, March 2007 [http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport].

4 Keizer, Gregg, “Phishing Costs Nearly $1 Billion,” TechWeb Technology News, June 24, 2005 [http://techweb.com/wire/security/164902671].

5 Alperovitch, Dmitri. Personal email interview, March 15, 2007.

6 “Cross-Site Scripting Attack,” Acunetix, 2007 [http://www.acunetix.com/websitesecurity/cross-site-scripting.htm].

7 “PayPal Security Flaw Allows Identity Theft,” Netcraft, 2007 [http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html].

8 Felten, Edward and Michael Schneider, “Timing Attacks on Web Privacy: Paper and Specific Issue,” Secure Internet Programming Laboratory, Department of Computer Science, Princeton University, 2000 [http://www.cs.princeton.edu/sip/pub/webtiming.pdf].

9 Jakobsson, Marcus. Modeling and Preventing Phishing Attacks, School of Informatics, Indiana University [http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf].

10 Mello, John P. Jr.Five Zombies Do All the World’s Phishing,” TechNewsWorld, Oct. 21, 2004 [http://www.technewsworld.com/story/37491.html].

11 “CSO Security Feed,” March 19, 2007 [http://www2.csoonline.com/blog_view.html?CID=32583].

12 Riess, Betty. Personal email interview, March 19, 2007.

13 Soghoian, Christopher, “A Deceit-Augmented Man-in-the-Middle Attack Against Bank of America’s SiteKey Service,” Paranoia Dubfire, April 10, 2007 [paranoia.dubfire.net].

14 Alperovitch, Dmitri (Ibid.).

Paul S. Piper is a Librarian at Western Washington University in Bellingham, WA. His e-mail address is paul.piper@wwu.edu.
       Back to top