Digital Transactions Authoritative, insightful and timely information for payments professionals
The crime of phishing entered midsummer doldrums, offering some relief to financial institutions, merchants, and other organizations engaged in e-commerce, according to the latest report from the Anti-Phishing Working Group. The number of unique e-mail attacks dropped 17%, to 23,917, in July, while the population of sites launching attacks dipped slightly to 30,999, the fourth straight month of decline. More good news came in the statistics for brand names targeted by phishing fraudsters. This number fell to 126 from 146 in June. That's down from a near-peak of 174 in April. Financial institutions, particularly large ones, continue to be by far phishers' favorite targets, accounting for 94% of all attacks. But now around half of these big bank targets are European institutions, says the APWG, a consortium of payment companies, software vendors, and law-enforcement agencies. Nonetheless, “there are continued low-level attacks against a great many U.S. credit unions and smaller banks,” notes Dave Jevans, chairman of the APWG, in the report. The group has also started tracking the number of unique brand-domain pairs, pointing out that in many cases fraudsters use multiple URLs to attack a single brand. Knowing this, an e-commerce operation can act to get the domain shut down, which is more effective than acting against individual URLs. “The difference between an ISP shutting down a phish site and a registrar or registry suspending the phishing domain is substantial,” Laura Mather, senior scientist at MarkMonitor, says in the APWG report. “When an ISP shuts down the phish site, the phisher can use another ISP to host their domain. When a registrar or registry suspends a domain, the phisher must start over with a new domain. Action by the registrar or registry is the only way to guarantee that the phish site is truly eradicated from the Internet.” MarkMonitor performs some of the data collection and analysis for the monthly APWG report. E-commerce security officials may be having some success in this effort. The average uptime for a phishing site is now 3.6 days, the shortest duration recorded so far by the APWG, which has been tracking phishing fraud since 2003. Not all the news in the report is good, however. The number of unique applications of malware?malicious code such as keyloggers that swipe passwords as users enter them?crept up to 257 from 222 in June, while the number of URLs detected hosting such Trojans jumped to 3,200 from 2,660. Also, while down in July, the number for phishing attacks represents no improvement from July 2006, when the number of unique e-mail campaigns was 23,670. And the population of phishing sites is more than double the 14,191 detected a year ago.
