New Multi-Group Attack against Phishing, ID Theft Scams

Read the full report (PDF)

This report is a call for action against phishing. For purposes of this report, phishing is defined as using the Internet to fraudulently gather personal data about a consumer. Phishing is also perpetrated by telephone, but the focus of this report is how to help stop phishing in the online context.

Phishers use the personal information they steal from consumers for gain, such as by hijacking — taking money from — a customer account, and to commit identity theft.

Origins of the Report The Anti-Phishing Retreat: A major theme of this report is the need for the various “good guys” to work together in the fight against phishing. The report emerges from a unique and fruitful collaboration of the National Consumers League with major sponsors American Express, First Data, and Microsoft, as well as numerous stakeholders in the fight against online fraud against consumers. The National Consumers League convened a 40-person retreat from September 28-30, 2005 at the Harbourtowne Conference Center in St. Michael’s, Maryland. Participants are listed in Appendix 2. While a few agencies and organizations could not be included in the list because of legal constraints, all participants were fully engaged in the process and contributed to the outcome. Listing here is not an endorsement by each person or their organization of the specific content of the report.

Peter Swire, a Senior Fellow at the Center for American Progress, was the “reporter” – the lead drafter – of the report itself.

Participants: The retreat brought together experienced persons from many perspectives relevant to the fight against phishing. Participants included persons from: consumer groups; academia; financial services firms; Internet service providers (ISPs); online retailers; computer security firms; software companies; consumer protection agencies; law enforcement agencies; and existing coalitions such as the Anti-Phishing Working Group, the National Crime Prevention Council, and the National Cyber Security Alliance.

Format of the Retreat and Goals: The retreat was professionally facilitated under the leadership of Dr. Phyllis P. McDonald of Johns Hopkins University. It began with a debate which contributed some important ideas and provided context for the discussions to follow. After presentations about how phishing works, how to think strategically about threats, what challenges phishing presents to different sectors, and how other challenges have been creatively addressed, participants were split into working groups. They met intensively to discuss the problem National Consumers League and generate recommendations for action. The groups then came together to share and discuss recommendations. The goal was to produce solutions that are workable on a technical, economic, and legal basis.

Outline of the Report Understanding the Phishing Problem Part I: The Internet Fraud Battlefield Part I looks at phishing by examining The Internet Fraud Battlefield. A white paper and diagram of the Internet fraud battlefield, attached as Appendix 4, helps the reader understand the different methods of attack that have developed.

Part II: The Large and Growing Problem of Phishing Part II documents The Large and Growing Problem of Phishing. In addition to direct losses due to fraud, the much larger costs are loss of consumer confidence in the Internet. Recent surveys show that some consumers have already cut back their use of the Internet due to worries about fraud. More generally, there is fear that the growth of the online sector, and thus of the U.S. economy, will slow unless online activities become safer and are seen as safer by consumers.

Part III: The Lifecycle of the Phisher In order to develop anti-phishing strategies, Part III looks at The Lifecycle of the Phisher. For the fraud to be effective, the criminals must go through six phases: plan; launch attack; gather personal data; research how to use data; attempt crime; and launder the proceeds. Analysis of this lifecycle gives the defenders — the various stakeholders fighting fraud — ideas of how to interrupt the criminal enterprise.

Part IV: Recommendations for Action The report offers seven principal recommendations for action. The first four recommendations are to support key, known responses. The next three are to develop promising new approaches that were generated during the retreat. Some of these recommendations are already being implemented in some settings. In summary, the recommendations are as follows:

1. Support greater consumer education.
2. The consumer experience must be “secure by design.”
3. There must be better user and site authentication.
4. There must be better tools for effective investigation and enforcement.
5. Learn from the lifecycle of the phisher.
6. ISPs and domain name owners can cooperate on white lists.
7. Use black lists to create a “phishing recall” approach.

In summary, intensive discussions at the retreat support a call to action against phishing. There are key measures that are already known but which deserve renewed support, such as consumer education, “secure by design,” improved authentication, and better tools for investigation and law enforcement. There are also promising new approaches. The lifecycle of the phisher offers as-yet-untapped opportunities to disrupt criminal activity. New collaboration on white list and black list approaches also would likely achieve more than any one type of stakeholder could achieve on its own. Retreat participants agreed that it is imperative to work together in a systematic approach to the phishing problem. The recommendations in this report form a comprehensive action plan for combating phishing more effectively. Some of the strategies recommended in this report, such as improving authentication and building security into design, have already been embraced by many. The goal of this report is to encourage wide adoption of these anti-phishing strategies.

Read the full report (PDF)

Read also: New Ways to Stop Phishing