Friday , March 29, 2024

Malware And Spear-Phishing Soar, Helping To Drive Rise in Breaches

 

While the payments business continues to fret about data breaches, new information emerged this week that helps explain how such pernicious leaks happen, and why they’re happening with increased frequency. While notable breaches like the one at Sony earlier this year steal headlines, cybercriminals are plundering accounts at organizations large and small.

One big reason is that malware, or bits of code planted on victims’ computers to collect logon credentials and other sensitive information, is booming, according to the Anti-Phishing Working Group, an 8-year-old organization that tracks phishing and malicious code. The APWG’s latest trend report, released this week and covering the second half of 2010, indicates more than 10.4 million new malware samples were registered by Panda Security, a contributor to the report, or about 17% of all samples detected since 1990. “Cybercriminals’ crimeware development efforts were more than redoubled” during the period, the APWG says in a statement accompanying the report.

Some 55% of the malware consists of so-called Trojans, which are aimed specifically at taking control of bank accounts belonging to businesses and consumers. The Trojans, which are undetectable, can allow fraudsters to remotely initiate funds transfers or make bogus bill payments.

At the same time, incidents of so-called spear-phishing are also rising fast. In this technique, fraudsters target specific employees within companies who are known to have control over funds movement. As in conventional phishing attacks aimed at consumers, these victims receive e-mails intended to gull them into revealing key credentials or to download malware. While such incidents are harder to count than the consumer variety, the APWG says they began to increase in the latter half of 2010 and continue to boom this year.

“There are an increasing number of reports where spear-phishing is used as part of a sophisticated attack to gain access into a corporation\'s network by infecting a targeted employee\'s computer,” Dave Jevans, chairman of the APWG and of the security firm IronKey Inc., Sunnyvale, Calif., said in the APWG statement. “This trend is accelerating in 2011, and is responsible for many high-profile corporate data breaches.” What’s more, these spear-phishing e-mails “usually evade” filters set up to stop spam and viruses, the APWG says.

The effectiveness of both malware and spear-phishing was thrown into relief by a notice posted this spring by the Federal Bureau of Investigation. In it, the FBI said it is investigating cases in which fraudsters attempted to siphon $20 million out of corporate accounts in the U.S. between March 2010 and April 2011; actual victim losses totaled $11 million. The fraud, made possible in part by spear-phishing, compromised computers used by officers at small and medium-size companies with access to funds. Fraudsters transferred the cash to accounts belonging to legitimate “economic and trade companies” in China, near the Russian border, the FBI said. Wire transfers ranged from $50,000 to $985,000 each.

The cybercriminals used several types of malware, including the infamous ZeuS code, which can steal legitimate multi-factor credentials that allow criminals to log into online-banking sites with actual names, passwords, and token IDs, according to the FBI.

By contrast, conventional phishing activity dropped over the six months ending in December. Reports received by the APWG slid from 26,353 in July to 21,020 in December. The December volume is only about half the record high of 40,621 reached in August 2009. Similarly, the number of hijacked brands ended the year at 279, little changed from July’s 274, though the number spiked to 335 in September. The all-time high of 356 occurred in October 2009.

While payment services had been the most targeted business sector earlier in 2010, financial services took over this dubious honor in the second half, accounting for more than half of all phishing attacks in the fourth quarter. Newer sectors like social networking (4% of attacks) and gaming (5%) also registered as significant targets in the quarter.

 

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions