Digital Transactions Authoritative, insightful and timely information for payments professionals
Not only is the sheer volume of phishing attacks rising, but the sophistication by which fraudsters are fooling unwitting Internet users is increasing, as well, according to a recent report from the Anti-Phishing Working Group. The organization of law-enforcement agencies, security-software companies, and payment networks says it observed several new and insidious trends emerge in January. In one case, it says, hackers began using specially scripted URLs to redirect victims from popular Web sites to their bogus Web pages. By using this so-called cross-site scripting technique, they hope to thwart blocking technology and also benefit from the trust users have for well-known sites. In an example, it says hackers were funneling users through the Lycos search engine. “By crafting a URL, the hacker can redirect any end user through Lycos directory to their fraudulent page,” says the group in its report on January phishing activity. The APWG reasons that this activity may lie behind a decline in January in the number of phishing sites with no host name, to 53% from 63% in December. The group also observed what it calls a “significant” rise in the use of malicious code in January as a way of capturing victims' keystrokes. Although e-mail is well-known as a delivery mechanism for so-called trojans, or malicious software that embeds itself on computers and logs users' keystrokes, the APWG says it is seeing such attacks through Microsoft Messenger as well as through Web sites. In the latter case, the code installs itself on victims' computers when they visit the sites. “Also common,” the report says, “are blended attacks which use combinations of e-mail, instant messaging, and Web sites to gain access to systems.” Also on the rise is the use of malicious code to seize control of users' machines so that criminals can use them to host phishing sites and broadcast phishing attacks. In a note in its report, the group says the number of phishing sites not using port 80 is rising, reaching 9.53% in January, leading its experts to conclude that “the number of machines that are compromised and are being used to host [phishing] attacks is growing.” Statistically, the phishing problem only grew worse in January, with the APWG reporting 12,845 new, unique phishing e-mails from 2,560 sites. The number of unique e-mails is up 42% from December, and is the result of a 30% average monthly rate of growth since July, when only 2,625 e-mails were reported to the group. The population of phishing sites, meanwhile, rose fully 47% in January from December's 1,740, with the July-to-January average monthly growth rate clocking in at 28%. The average length of time online for phishing sites in January was 5.8 days, with the longest-lived site staying up for 31 days. Meanwhile, the number of brands whose names were commandeered by fraudsters in January was 64, up from 56 in December. All told, some 140 financial-service and retail companies have been targeted by phishers since the APWG began tracking the problem in November, 2003. In a typical phishing scam, criminals send e-mails to consumers that appear to come from trusted institutions or companies. The messages usually mimic the target companies' graphics and slogans and try to trick recipients into visiting bogus sites, where they are prompted to enter confidential data, such as passwords, PINs, and account numbers. The problem is widely seen as a threat to the growth of electronic transactions online, since it undermines consumers' trust in doing business on the Internet.
