Internet fraude
Páginas: 15 (3534 palabras)
Publicado: 12 de marzo de 2012
76
October 2006/Vol. 49, No. 10 COMMUNICATIONS OF THE ACM
IS SERIOUS INTERNET FRAUD
Fake Web sites fool the unwary into divulging personal data, undermining all consumers’ trust in e-commerce, no matter how trustworthy the authentic online business truly is.
IDENTITY THEFT topped the list of consumer complaints about fraud, according to the U.S. Federal Trade Commission’s annual reportfor 2005, accounting for 255,000 of the more than 686,000 complaints filed with the agency in 2005 (www.ftc.gov/opa/2006/01/toptenhtm). A prepared statement by the FTC to the U.S. House of Representatives March 30, 2006 [11] said identity theft victimizes nearly 10 million Americans, with costs to businesses and consumers of almost $53 billion in 2003, a 79% increase over 2002 [9].
Illustration byGerard DuBois
WHY SPOOFING
By Tamara
Dinev
COMMUNICATIONS OF THE ACM October 2006/Vol. 49, No. 10
77
Figure 1. PayPal (April 2004) spoof site (screenshots rescaled). Fake PayPal URL appears directly over the Internet Explorer address bar, but the IE icon overlaps the first two letters (ww) of the URL in the top screenshot. The Web page on the bottom is reached if a newlyregistered user is unsuccessful logging in.
The phenomenon of Web spoofing, or creating hoax Web sites that closely mimic real sites in order to extract personal financial information from unwary Web visitors, is an increasingly popular form of online scam that contributes to identitybased credit and financial fraud and threatens to undermine consumer confidence in Internet shopping and banking [3].The FBI has referred to spoofing as “the hottest, and most troubling, new scam on the Internet ... contributing to a rise in identity theft, credit card fraud, and other Internet frauds” [2]. Approximately 30 such hoax attack sites are detected each day, even as many more go undetected [12]. Major U.S. businesses and government Web sites (such as BestBuy [5], eBay, PayPal [10], the InternalRevenue Service [8], and the Massachusetts State Lottery), as well as several banks (Citibank being the most frequently targeted [4]), report being victimized. Records of attacks and statistics are available through www.antiphishing.org, a Web site maintained by the Anti-Phishing Working Group, an industry association that aims to eliminate the identity theft and fraud that result from phishing andemail spoofing. It was founded by Tumbleweed Communications along with a number of member banks, financial service institutions, and e-commerce providers. In 2003, Amazon.com, eBay, McAfee Security, Microsoft, Verisign, Visa, and other online retailers formed the Coalition on Online Identity Theft, aiming to raise awareness and educate the public about the growing threat of Web spoofing and how todefend against it [9]. It works with the FTC, the U.S. Department of Justice, and other federal, state, and local law enforcement agencies to design policies, enforcement methods, and penalties against online scams.
78
October 2006/Vol. 49, No. 10 COMMUNICATIONS OF THE ACM
Table 1. Properties of a typical spoof site with examples from a PayPal spoof attack (April 2004).
Description andTechnologies
Convincing email. Achieved through spoofing the sender’s email address (service@paypal.com) with subject “Notification of PayPal Limited Account Access.” HTML body with JavaScript hides the real URL link. Convincing logos and layout. The spoof site uses logos found on the real site to imitate its appearance. All the links are functional, leading to pages self-contained within the Web site,as in the Figures.
Giveaways
The email’s salutation is nonpersonal (“Dear smith@aol.com”), rather than the real name. Alternatively, it may use “Dear PayPal User” or “Dear PayPal Member.” Short-lived. Most spoof sites are available for only a few days-just enough time for the attacker to phish a sufficient number of users. Usually the same Web site appears on another server, followed by...
October 2006/Vol. 49, No. 10 COMMUNICATIONS OF THE ACM
IS SERIOUS INTERNET FRAUD
Fake Web sites fool the unwary into divulging personal data, undermining all consumers’ trust in e-commerce, no matter how trustworthy the authentic online business truly is.
IDENTITY THEFT topped the list of consumer complaints about fraud, according to the U.S. Federal Trade Commission’s annual reportfor 2005, accounting for 255,000 of the more than 686,000 complaints filed with the agency in 2005 (www.ftc.gov/opa/2006/01/toptenhtm). A prepared statement by the FTC to the U.S. House of Representatives March 30, 2006 [11] said identity theft victimizes nearly 10 million Americans, with costs to businesses and consumers of almost $53 billion in 2003, a 79% increase over 2002 [9].
Illustration byGerard DuBois
WHY SPOOFING
By Tamara
Dinev
COMMUNICATIONS OF THE ACM October 2006/Vol. 49, No. 10
77
Figure 1. PayPal (April 2004) spoof site (screenshots rescaled). Fake PayPal URL appears directly over the Internet Explorer address bar, but the IE icon overlaps the first two letters (ww) of the URL in the top screenshot. The Web page on the bottom is reached if a newlyregistered user is unsuccessful logging in.
The phenomenon of Web spoofing, or creating hoax Web sites that closely mimic real sites in order to extract personal financial information from unwary Web visitors, is an increasingly popular form of online scam that contributes to identitybased credit and financial fraud and threatens to undermine consumer confidence in Internet shopping and banking [3].The FBI has referred to spoofing as “the hottest, and most troubling, new scam on the Internet ... contributing to a rise in identity theft, credit card fraud, and other Internet frauds” [2]. Approximately 30 such hoax attack sites are detected each day, even as many more go undetected [12]. Major U.S. businesses and government Web sites (such as BestBuy [5], eBay, PayPal [10], the InternalRevenue Service [8], and the Massachusetts State Lottery), as well as several banks (Citibank being the most frequently targeted [4]), report being victimized. Records of attacks and statistics are available through www.antiphishing.org, a Web site maintained by the Anti-Phishing Working Group, an industry association that aims to eliminate the identity theft and fraud that result from phishing andemail spoofing. It was founded by Tumbleweed Communications along with a number of member banks, financial service institutions, and e-commerce providers. In 2003, Amazon.com, eBay, McAfee Security, Microsoft, Verisign, Visa, and other online retailers formed the Coalition on Online Identity Theft, aiming to raise awareness and educate the public about the growing threat of Web spoofing and how todefend against it [9]. It works with the FTC, the U.S. Department of Justice, and other federal, state, and local law enforcement agencies to design policies, enforcement methods, and penalties against online scams.
78
October 2006/Vol. 49, No. 10 COMMUNICATIONS OF THE ACM
Table 1. Properties of a typical spoof site with examples from a PayPal spoof attack (April 2004).
Description andTechnologies
Convincing email. Achieved through spoofing the sender’s email address (service@paypal.com) with subject “Notification of PayPal Limited Account Access.” HTML body with JavaScript hides the real URL link. Convincing logos and layout. The spoof site uses logos found on the real site to imitate its appearance. All the links are functional, leading to pages self-contained within the Web site,as in the Figures.
Giveaways
The email’s salutation is nonpersonal (“Dear smith@aol.com”), rather than the real name. Alternatively, it may use “Dear PayPal User” or “Dear PayPal Member.” Short-lived. Most spoof sites are available for only a few days-just enough time for the attacker to phish a sufficient number of users. Usually the same Web site appears on another server, followed by...
Leer documento completo
Regístrate para leer el documento completo.