Following Deep Throat"s advice to "follow the money," hackers today are committing fraud at alarming rates, using sophisticated, multilayered "pharming" botnets that point to the need for new forms of authentication to secure e-mail originators as well as Web site destinations.

A four-member panel of cybercrime fighters dissected the ominous "phishing without a lure" pharming attacks in an "eCrime Calling" workshop at the InBox e-mail security conference here in San Jose, co-sponsored by the Anti-Phishing Working Group.

Oliver Friedrichs, security manager at Symantec Corp."s security response center, said the increase in pharming attacks has produced a steep rise in cybercrime statistics.The company"s DeepSight global Internet sensor network recorded a 360 percentincrease in phishing or pharming e-mails during the last half of 2004. DeepSight"s 2 million honeypots and 4,000 devices recorded 9 million phishing e-mails for the last half of 2004, dwarfing the 2 million identified in last year"s first six months. In a phishing scam, e-mail messages that look like they come from a legitimate Web site, such as a bank, are sent to users to lure them into entering sensitive information.

"It"s a huge turn of events, from hacking for fun to hacking for profit," Friedrichs said. Phishers are taking advantage of "drive-by" installations, he said, injecting malware into some of the 21 vulnerabilities identified in Internet Explorer in the last half of 2004, as well as the 13 vulnerabilities identified in the Mozilla and Firefox browsers. The drive-by browser exploits place the infected machines into remote-controlled zombie botnets.

DeepSight analysis shows that 54 percentof all malware is designed to harvest confidential information from users, up from 44 percentin the second half of 2004 and 36 percentin the first half, Friedrichs said. Once infected, the top targets of the botnets are financial services companies followed by manufacturers.

"Phishers are sending e-mail with confidential information to multiple fake Web sites appearing to be an eBay or PayPal," said Jon Oliver, MailFrontier"s director of research. "The sending botnets are being formed in many cases before the fake servers have been installed. The sophistication has grown tremendously."

Panelist Dan Hubbard, director of research at Websense Inc., said the "profit motive for phishing is very sizable. The hit rate is high, and the financial returns are quite good" as phishers develop more-sophisticated, "all-in-one" payloads that can proxy a server with a fake Web site, log keystrokes and redirect traffic.

Pharming attacks are the most ominous, said Scott Chasin, chief technology officer at MX Logic. Pharming, or maliciously redirecting a browser to a site to collect confidential data, "shows a weakness in the infrastructure of the Internet and an inability to protect the application layer."

Pharming methods, such as Domain Name System cache poisoning, will become more sophisticated, Chasin said, because they hide the hacker"s tracks. Once hackers have learned how to fully exploit stealthy pharming techniques, Chasin said, we are likely to see historical exploits and threat vectors redeployed into a feeding frenzy of self-propagating predatory hacking.

To fight this new environment of pharming requires new forms of authentication for users and e-mail originators, as well as for e-mail destinations and Web sites, Chasin said.

"The knowledge of end users always lags the sophistication of hackers. How are we going to detect when fraud happens so quickly? We"re also going to need to monitor and evaluate behavior in the core and more-sophisticated filtering in edge-based sensors."

Panelists agreed that e-mail protocols have huge security gaps. "The industry is going to need to come together to create a broad spectrum of solutions," MailFrontier"s Oliver said.

"The flaws in e-mail have been known for a long time, but there wasn"t a need to fix them," agreed Symantec"s Friedrichs. "Now the criminals are coming from the woodwork, leveraging these flaws we haven"t fixed in a decade."

Chasin said Internet service providers will need to shoulder some of the burden in reducing threats.

"The nature of the pharming threat is outbound," Chasin said. "Service providers should inoculate their networks -- it"s a real opportunity for industry and government."

Last week, the Federal Trade Commission launched its antizombie awareness campaign, aimed at 3,000 service providers in 30 countries in an effort to thwart the more than 150,000 PCs hijacked into zombie botnets daily.

Hackers also are becoming specialized, according to the panelists. Some hackers excel in hijacking PCs into zombie botnets with drive-by attacks. These specialists make their botnets available to hackers skilled in launching phishing or pharming campaigns. The confidential information gleaned often is turned over to "cashers," or transaction specialists, with expertise in using the stolen information in fraudulent transactions and spiriting the gains into secret bank accounts.

In some cases, the cashers may need to dispose of merchandise used in, or gained from, phishing and pharming attacks. To dispose of the merchandise, cashers call upon a network of relays who sell the stolen goods. Frequently, the relays are recruited online with attractive offers to "earn money from home." Often they are far removed from the actual phishing or pharming attack and unaware that they are participating in an illegal scheme.