An Online Boom: Phishing Numbers Hit New Highs in May

The number of unique phishing attacks and the population of Web sites involved in the online fraud both hit all-time highs in May, following a disturbing trend of dramatic month-to-month increases since late 2005, according to the Anti-Phishing Working Group. Reports of unique attacks?discrete e-mail blasts sent to consumers by fraudsters?reached 20,109 last month, according to the APWG's latest report. That's 15% more than in April, and represents the first time the measure has cracked the 20,000 plateau. Meanwhile, unique hosting sites came to 11,976 in May, up 8% from April. In both cases, the numbers took a pronounced upward turn towards the end of last year, and have been generally trending up ever since. This is especially true of phishing sites, a number that shot up suddenly in December?by more than 2,500 sites?and again in January, the APWG numbers show. Rounding out the bad new for online marketers and transaction processors, the number of legitimate consumer brands used by phishing fraudsters in their attacks also climbed markedly in May, reaching a record high at 137. That's up from 92 in April, and breaks the old record of 121 set in December. Financial-services companies account for the bulk of the hijacked brand names, at 92%, with Internet service providers (3.6%) and retailers (1.5%) accounting for most of the remainder. The number of sites hosting malicious software, such as keyloggers, used by online fraudsters dipped in May, to 2,100 from 2,683. But the number of unique applications of this malware found by the APWG jumped to 215 from 180. The APWG is an organization of payments networks, software firms, and law-enforcement agencies that tracks trends in phishing. Phishing involves the use by criminals of e-mail messages sent to online consumers that use the logos, slogans, and other indicia of trusted brands to dupe recipients into visiting bogus Web sites to enter passwords, PINs, and other data the fraudsters can use to loot accounts. In some cases, malware installed by the fraudsters automatically redirects unwary users to such sites, even when they type in the addresses of legitimate sites, such as banks or other financial-services firms.