Amazon Targets Phishers in Lawsuits
In three cases filed Sept. 27 in King County Superior Court in Washington, Amazon accuses up to 60 unidentified defendants of sending unsolicited e-mail that appeared to come from Amazon. The e-mails told consumers that they needed to confirm their account details due to recent activity, asking them for login and financial information on a Web page that mimicked Amazon's.
"We work really hard to gain the trust of our customers," said David Zapolsky, vice president and associate general counsel at Amazon. "When people use our name to get around spam filters or to try phishing, we're concerned that could exploit our customer trust."
Fellow Seattle-area company Microsoft helped Amazon develop the cases and joined it to pursue two additional ones. In one, filed in U.S. District Court in Seattle, the companies are suing Gold Disk Canada, alleging three Canadian men spoofed the Amazon domain to avoid spam filters at MSN and Hotmail. Yahoo sued Gold Disk and its operators, Eric, Matthew and Barry Head, in March, part of the first wave of lawsuits under the federal CAN-SPAM Act.
By teaming up, Zapolsky said, Amazon and Microsoft can pursue spammers from multiple angles, with Microsoft using legal remedies for Internet service providers and Amazon pursuing claims on trademark infringement and cyber-piracy grounds.
In another case filed in U.S. District Court in Seattle, Microsoft sued Leonid Radvinsky, alleging the sending of e-mails that spoofed Amazon's domain. Amazon already filed a lawsuit against Radvinsky that is set to go to trial in May 2005, the company said.
In August 2003, Amazon filed 11 lawsuits against individuals and companies in the United States and Canada that it alleges sent e-mail mimicking Amazon in order to defraud consumers. At the same time, the New York attorney general's office announced a settlement with Cyebye.com on charges it spoofed Amazon's domain name in phishing attacks. Four of those cases have been settled, Zapolsky said.
According to the Anti-Phishing Working Group, a coalition of businesses fighting the problem, these frauds have grown sharply in the past year. The group reports 1,974 phishing attacks in July, with a 50 percent average monthly growth rate. The Gartner Group estimates phishing fraud cost $1.2 billion in damage in 2003.
The prevalence of phishing is a threat to a company like Amazon, which sends millions of e-mails yearly to confirm purchases and market to customers. In August 2003, Amazon set up an e-mail address for customers to send e-mails they think phishers sent. Though Amazon is not a top target for phishing scams, Zapolsky said it has received "tens of thousands" of messages to the account, some of which helped develop cases against phishers.
In one case Amazon filed, it alleges the defendants sent e-mail appearing as if it came from Amazon. The message told users their Amazon account was accessed improperly and they would need to verify their user name, password and credit card information. The e-mails linked to a Web page set up to collect the information.
The Anti-Phishing Working Group estimates that phishing attacks like this garner a 5 percent success rate. Banks, online retailers and credit card companies are the most common brands used by phishers.
"Any company that does business online that has an account-based system can be a target," said Quinn Jalli, director of privacy at Digital Impact, a San Mateo, CA, e-mail service provider.
Zapolsky said Amazon regularly reminds customers that it will not ask them for financial information in e-mails. The Amazon Web site features a guide for avoiding e-mail fraud.
Citibank, U.S. Bank and eBay, the three brands most often hijacked by phishers, have devoted sections of their Web sites to e-mail fraud, to help educate consumers. The companies also set up e-mail accounts for customers to send suspect e-mails.
Along with its efforts to track down phishers and educate consumers, Amazon has endorsed efforts to establish e-mail authentication technologies to eradicate phishing scams, which depend on forged e-mail addresses. The e-tailer supports both Microsoft's Sender ID technology and the open-source Sender Policy Framework protocol.
"People shouldn't be waiting for authentication to solve this," Jalli said. "There's a lot of damage to be done in the interim."