The complex phishing attack is thought by many to involve at least one person on the inside of the carbon trading business.
Phil D'Angio, director and online security expert at authentication and security specialist VeriSign, said that it comes as no surprise that fraudsters have targeted the lucrative business of emissions trading.
These types of attacks, he explained, can be countered with a robust two-factor authentication process, such as using an additional password sent to the mobile phone of the person submitting registration details.
"Two factor authentication has been used successfully by the banking and retail sectors for some time now, and is a proven measure against phishing scams", he said.
Background information
Carbon credits are a key component of national and international attempts to reduce growth in concentrations of greenhouse gases. One carbon credit is equal to one tonne of carbon dioxide.
The goal of the scheme is to allow market mechanisms to drive industrial and commercial processes in the direction of low emissions – i.e. less carbon intensive approaches – than those used when there is no cost to emitting carbon dioxide into the atmosphere.
There are also companies that sell carbon credits to commercial and individual customers who are interested in lowering their carbon footprint on a voluntary basis and it is this market that the phishers have actively targeted.
According to BBC reports, an estimated 250 000 permits worth over 3 million euro have been stolen, resulting in emissions trading registries in a number of EU countries being temporarily shut down this week,
The criminals involved are thought to have capitalised on a procedure in which companies within the global carbon market can buy carbon permits from other firms which allow them to email greenhouse gases.
Having created fake emissions registries, the criminals are believed to have sent emails to thousands of firms in New Zealand, Norway and Australia to trick them into divulging the registration details needed for the fraudsters to steal their emissions permits.
According to D'Angio, phishing scams are most often seen targeting consumers, requesting banking customers to reconfirm account information for example.
"However, the concept is always the same. People are duped into entering sensitive data into fraudulent sites, resulting in them or their companies losing money or crucial information", he said.