Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

World of phishing exposed

We investigate the shifting of the main front in the music industry's battle against piracy: they now want ISPs to police networks for them, and look to have government backing.14 Feb 2008

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we delve deep into the world of financial scams and find that con artists are as busy ripping each other off as they are us, and we hear about a software amnesty in Glasgow.

But first, the news:

Intel raided by European Commission


Government data loss victims warrant court successes unlikely.

Intel has been raided by European Commission competition officials just weeks before it faces a critical Commission antitrust hearing. It's the second time its European offices have been raided by officials conducting an investigation into the firm.

Intel is accused by the Commission of abusing its dominant position in the microchip market in order to exclude rival AMD. It's been under investigation since 2001 and was formally charged in July last year.

The company's offices in the UK, Germany, Italy and Spain were raided in 2005 as part of the investigation and last month the state of New York also announced an antitrust probe into the company's behaviour.

The Commission has accused Intel of offering discounts to computer makers who only use its chips, of paying manufacturers to delay or cancel products containing AMD chips and of selling chips below cost in the server market. It said the company had "an overall anti-competitive strategy".

Intel will face a hearing on those charges in the middle of March.

Victims of Government data loss are being encouraged to buy packs claiming to help them claim compensation. Thousands have paid out, but privacy lawyers have warned that success is very unlikely.

One arbitration company is selling packs for £5.99 that it claims will help some of the 25 million victims of the HM Revenue and Customs data loss last year make a compensation claim.

But privacy specialists at Pinsent Masons, the law firm behind OUT-LAW, have warned that there is a heavy burden of proof on compensation claimants under the Data Protection Act, and that any information people might need is already available for free.

"The DPA requires individuals to prove the link between the damage that was caused by the loss of personal data to the particular incident where the loss occurred," said Dr Chris Pounder, a privacy specialist at Pinsent Masons. "Compensation cannot be awarded by a Court just because an individual is very upset or angry."

The Information Commissioner's Office freely publishes information on how someone can seek compensation for any damage suffered from a breach of the Data Protection Act.

That was this week's OUT-LAW news

Who do you think is behind the internet scams that manage to weasel your bank details out of you? Do you picture evil, geeky masterminds deploying the latest experimental technology to out-fox banks, security experts and your wit?

I bet you do, but you'd be wrong. In fact these people are more likely to be technical dunces using brute force and copy-cat fakery to trawl the web for our personal details.

Identity theft is a huge problem, and one of the main ways that people's identities are stolen is through phishing, spelt with a p-h. This is when someone emails you pretending to be from your bank and gets you to go to a fake bank site and enter your details, your user name and your password. They take them to find out more about you and clean out your bank account or get credit in your name or, in extreme cases, clone your entire identity – passports, credit cards and all.

It's always been assumed that these people are pretty smart, their techniques sophisticated. But security experts Nitesh Dhanjani and Billy Rios will tell the black hat hackers' conference in Washington next week that they found something entirely different.

Dhanjani gave us a sneak preview of what he found. He said it was incredibly easy to break into the world of phishing. Within minutes, he was sitting in front of just-stolen banking details.

Dhanjani: Within 15 minutes of starting this research we were staring at people's bank accounts to credit card numbers and ATM pin numbers, social security numbers posted on international message boards. And so within that span of 15 minutes we knew we hit on something big.
Magee:  And did you do anything that I could - did you do anything that was particularly technically proficient?
Dhanjani: No and all the research we've done is just basically what you can do from a web browser without even crossing the line where it's called hacking. And we were able to find this much information. These sites - and they're currently still live today - showing three to four hour-fresh information about the victim's bank account, user names, passwords, challenge questions, ATM pins and social security numbers and you name it.

What was most shocking was that these were not technical masterminds. The people carrying out these frauds are using pre-made, readily available phishing kits.

Dhanjani: Phishers tend to distribute these kits where you have basically about 10 to 20 megabytes of a zip file that once you get the kit you download it and once you unzip it what you see in there is ready made phishing sites, complete with logos and the server side script to send the actual victim's email to the phisher. If you were a phisher you would get that kit, find a server that's been already been compromised or you compromise it yourself, pick the directory of your choice from the phishing kit, deploy it and you're good to go.

These kits help people to fake banking sites and get our details. They are then used to gain fraudulent credit in our name, or to use our credit cards or to drain our bank accounts. The effect can be devastating as credit ratings are ruined.
There is a whole economy running in the background in which sets of details have definite value.

Dhanjani: We also have another whole underground of message boards where you can actually buy people's identities and one of the lingos they like to use is called fools, that is F-U-L-L-Z which basically means all the information you need about an individual to steal his or her identity and that could cost you in US Dollars anywhere from 50 cents to $15 depending on the quantity you buy and phishers like to trade this information for other identities like a barter system.

As we've established, though, the people behind the scams are not necessarily the smartest in the world. Dhanjani found that they themselves were being scammed, that the people who wrote the phishing kits were phishing stolen details from whoever then used them.

Dhanjani: Once we started looking at these so called phishing kits we found evidence that phishers were phishing other phishers. Now one of the things we saw when we were going through the code for that is that there were two mail commands. And that intrigued us because we said "wait a second, why is this script emailing the victim's information to the phisher twice, right? You have to do it just once. And we realised that the second mail command there was a hard coded email address that the victim's information was also going to. So unknown to the phisher deploying this kit the information from the victim is going to him in addition to the author who wrote the phishing kit. And so here you have a phisher phishing a phisher.

Though it's reassuring to think of the scammers being scammed, this is still a massive problem whose cost runs into billions of pounds and heartache for many.
Dhanjani says the only way to beat it forever is for the financial industry and governments to ditch static credit cards or national insurance numbers as identifiers and to use more sophisticated systems. But Dhanjani says the cost of these is higher than the cost of the fraud, so the status quo is likely to be our lot for some time to come.

Anti-piracy lobby group The Business Software Alliance recently decided on a new policy in their bid to eradicate pirated software from business. Taking a leaf out of real law enforcement agencies' books, it heralded an amnesty for pirates.

Targeting the high-piracy area of Glasgow, it wanted to encourage the majority of businesses which, it says, don't even know if they are using unlicensed software by reassuring them that they wouldn't be prosecuted if they submitted to an audit in the 30 day amnesty period.

The BSA's Julie Strawson said that Glasgow was something of a rogue code hotspot.

Strawson: We started looking at where we were getting the most reports of piracy and the most incidences of piracy throughout our general investigations - as you would do. So we focused on London a lot clearly because there's the density of businesses in London but we did notice quite surprisingly that Glasgow stood out initially.

So here, in a BSA radio ad, is how it put the frighteners on Glasgow's captains of industry.

BSA Radio Ad: Would you like to earn a £20,000 reward for reporting a company using illegal software? Companies using illegal or unlicensed software are breaking the law and costing jobs both locally and across the UK. If you'd like to help the Business Software Alliance fight software piracy and earn up to £20,000, please report any company using illegal software in complete confidence at

The BSA says that it got a major response, with hundreds of companies submitting to voluntary audits. Now it's chasing those that didn't, and on whom it has whistleblower information.
41 Glasgow companies now face legal action by the BSA based on information that employees passed to it.

Strawson: We have evidence that shows that they are using software illegally of course. That's very important. Then we have to take legal action and these 41 companies that we've mentioned were reported by individuals completely voluntarily to the BSA as having knowingly been using illegal software. So we have to do something about those companies and we will be taking action.

The BSA says it's happy with the campaign, and will now pursue a regional strategy. Next up, says Strawson, is Manchester.

Strawson: It's the first regional campaign and yes we will be repeating this format and the next city that we're going to be targetting is Manchester.

That's all we have time for this week, thanks for listening.

Why not get in touch with OUT LAW radio? Do you know of a technology law story? We'd love to hear from you on radio@out

Make sure you tune in next week; for now, goodbye.

OUT LAW radio was produced and presented by Matthew Magee for international law firm Pinsent Masons