Phishers set another all-time record in December by creating -- and then quickly dumping -- over 1,700 bogus sites that tried to dupe users into giving up private information, the Anti-Phishing Working Group (APWG) said last week as it released its newest report on the scam scheme.
The number of phishing websites -- which are created by criminals who lure consumers to them on the premise that they need to confirm or re-create lost credit card or bank account information -- in December jumped another 10 percent over November to spike at 1707. Since August, when just 731 such sites appeared, the month-to-month increase has been a dismaying double-digit 24 percent.
APWG's tally of unique phishing e-mail campaigns also climbed in December -- to a new record of 9,019 -- but the boost over November was a measly six percent.
"The days around Christmas the numbers were off a bit," said Dan Hubbard, the head of Websense's security labs, which analyses the data for the APWG. "Phishers take time off, too."
Also on the up-tick was the number of brands targeted by attacks. In December, 55 different companies or organisations were victims of attacks. That's an old trend, noted Hubbard, but one that bears watching as ever smaller firms are put in the cross-hairs.
"Targets are becoming smaller and smaller," he said, "and are starting to include very small banks not only in the Midwest [US], as before, but also now on the East coast [US]. We're starting to see phishing attacks directed at institutions I've never even heard about."
One other noticeable difference during December, said Hubbard, was the even larger block of financial firms that were targeted by phishing campaigns. In the past, financial institutions such as banks, credit card companies, and payment providers (like PayPal) have accounted for 75 percent of all targets. In December, however, the category was the bulls-eye for 85 percent of all attacks. That took Hubbard a bit by surprise.
"We thought with the Christmas season, more phishing attacks would cover ecommerce sites, like eBay." That didn't happen, proving again that phishers, like the famous bank robber Willi Sutton, hit banks "because that's where the money is."
The APGW again put the spotlight on the upper-end of phishing attacks, those that not only reel in users to bogus sites, but then stock those sites with malicious code that can infect visitors with unpatched or vulnerable browsers and operating systems.
"As the criminals realise they can make more money at this, they figure out smarter ways of getting it," said Hubbard. "Not only are they taking advantage of browser and OS vulnerabilities -- this will be a trend moving forward in 2005 -- but there are some hints that attackers are looking at alternative methods to email [to tempt users to sites], like instant messaging and peer-to-peer networks."
Even search engines are being put into play by some phishers. By copying the techniques of more primitive scammers -- online sellers who, for instance, take the money but never ship products -- to get their sites listed in the big search indices of, say, Google, Yahoo, and MSN, phishers are managing to attract some victims without resorting to e-mail.
"Phishers could start using the same techniques to get people to go to malicious sites," said Hubbard, where they'd be infected with backdoor components or keyloggers that watch for password and other account access data.
They're even getting trickier in how they use the sites they put up, then take down, said Hubbard. Although the average lifespan of a phishing website has stayed static at around six days, Hubbard said that increasingly, the criminals behind phishing are putting up a site, bringing it down, then putting it back up again, often for a totally different purpose.
"They'll use the same IP address one time to steal passwords, then the site will go away, then it'll come back online as a site hosting maliciously-coded graphics," he said.
Copyright (c) 2005 CMP Media LLC
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
