Digital Transactions Authoritative, insightful and timely information for payments professionals
Recent reports concerning the dual online threats of phishing and malware indicate mixed news: the phishing threat is down as measured by number of incidents, but fraudsters' use of malicious code to steal passwords and re-direct unsuspecting Web users is increasing steadily. Postini Inc., a Redwood City, Calif.-based producer of e-mail security systems, reports the volume of e-mail sent by phishers dropped fully 90% in August, to 1.84 million messages out of more than 14 billion the company processed. Meanwhile, the Anti-Phishing Working Group's report on phishing activity in July shows the number of reported incidents fell 6% that month to 14,135 (the APWG measures incidents, each of which may encompass millions of actual e-mail messages). This is the fewest number of reported attempts the organization has seen since March. However, both organizations express caution. Postini says the seemingly dramatic drop last month may reflect the normal fluctuation seen with relatively new online phenomena rather than any real impact on the phishing threat. “Phishing is still a new enough phenomenon that we are not surprised to see this kind of month-to-month fluctuation,” said Andrew Lochart, senior director of marketing for the company, in a statement. “This drop-off in August should not give people a false sense of security and cause them to let their defenses down.” Also, the APWG, a consortium of payments networks, retailers, banks, and law-enforcement agencies, found an alarming rise in the use of keystroke loggers and other malware in phishing attempts. The number of unique applications stealing passwords grew to 174 in July from 154 in June and only 79 in May, while the population of Web sites grabbing passwords from unsuspecting visitors via keyloggers ballooned to 918 from 526 in June and 495 in May, the group reports, attributing the figures to Websense Security Labs. The APWG says it also saw un upward trend in the number of trojans that redirect online users from legitimate sites to fake sites set up by fraudsters. One such trojan displays a correct Web address but loads the fake site. Once users enter their passwords and user names they are redirected to the real site. This same malware acts as a keylogger, recording all keystrokes once it detects the user has accessed a banking site. In phishing attacks, criminals collect sensitive personal information from Internet users, which they can then use to commit fraud or identity theft. They typically gather the information by sending e-mails using graphics, slogans, and language that mimic those of a trusted banking or retail Web site The e-mails usually exhort the unsuspecting recipient to visit a site where they are asked to enter personal information, such as passwords or Social Security numbers. These sites, too, are tricked out to look like the real thing. The phishing trend has accelerated over the past two years and is closely watched by financial-services and retail officials worried about its impact on e-commerce.
