Fake sites and Trojans used to trick victims out of credit card details Phishing scammers who rely on trusted brands such as Citibank and HSBC to hook their prey are now turning to far simpler bait: e-commerce sites that look like the real thing but exist only to collect credit card information. In a typical phishing scam, web users receive links to websites that resemble the legitimate online sites of well-known banks. After entering password information, customers find their accounts wiped clean. Now, scammers are setting up fake storefronts to 'sell' popular items such as books, electronics and pharmaceuticals, using spam e-mails to drive traffic to the sites. Most sites are unbranded but use low 'prices' to attract customers. The sites, believed to be operated by the same Eastern European groups that run the phishing scams, collect credit card information from 'customers' and then shut down after a few days. 'These technology crime syndicates are trying to induce web users to use their credit cards, so often they associate themselves with a particular product or service,' said Catherine Kung, a channel sales manager at Websense. According to the Hong Kong Police technology crimes division, technology crimes doubled to 588 cases last year from 272 in 2002, costing $7.6 million in financial losses compared with $3.9 million previously. Meanwhile, security experts are warning against a new twist on phishing that utilises another web menace: spyware. 'Phishing can leverage on spyware, which relays personal information back to [a scammer's] host site,' Ms Kung said. In this scam, web users do not necessarily have to enter their personal information at a fake site to fall victim. They only have to visit a site. When a user clicks through the bogus link to a fraudulent website and scrolls over the page, a Trojan horse containing a key logger is surreptitiously downloaded to the web user's computer. The key logger records user names and passwords as the web user visits online bank sites, sending the information back to the scammer. Fraudwatch International reported a case recently in which internet browsers were directed to a website containing Trojans, and then redirected to the legitimate sites of online banks. According to a Websense study, about 90 per cent of computers connected to the internet are infected with spyware. This figure, however, could be inflated as experts disagree as to what constitutes spyware. Cookies, which are often used by online marketers to track an internet user's movements on the Web, are also used as a part of membership sites. Pauline Wong, regional marketing manager at Yahoo!, said the portal giant used cookies as part of its services.'Cookies are used to identify our users' profiles, but this is definitely not the same as spyware,' Ms Wong said. Last month, at least a dozen HSBC customers were swindled out of HK$660,000 from a hi-tech syndicate believed to be based in Eastern Europe that used phishing e-mails to harvest personal details and steal money from their victims' accounts. In Brazil, 53 people were arrested in a cross-state police crackdown for alleged involvement in a series of phishing scams involving the use of Trojan horses. About US$30 million was stolen from the online bank accounts of several financial institutions. While there are plenty of free anti-spyware programs for download over the internet, more robust commercial software is available to companies wanting better protection. These solutions work by blocking access to sites that distribute spyware, preventing the transmission of network information to a scammer's host site. Anti-virus solutions providers say they have set up 'honey pots', or unprotected PCs, to attract phishing scams, so the information can be used in the design of anti-virus and anti-spam solutions. Graham Cluley, senior technology consultant at anti-virus solutions provider Sophos, said the safest protection against contracting internet viruses was abstinence, but his suggestion is likely to irk office workers who rely on the internet to break the monotony of their jobs. Mr Cluley said IT administrators might consider restricting employee internet access to just a handful of sites needed for work purposes, expanding the list only with the IT department's permission.