Digital Transactions Authoritative, insightful and timely information for payments professionals
A new tactic used by Internet fraudsters is causing a dramatic upsurge in the number of Web sites hosting phishing attacks. The number of fake sites phishing fraudsters use to con Internet users into giving up PINs, passwords, and other confidential information soared to 37,444 in October, up nearly nine-fold from October 2005, according to the latest statistics from the Anti-Phishing Working Group. The number of phishing attacks, as reported to the group, hit 26,877, up 21% from September but even with August and still below June's record volume of 28,571, says the APWG report, which covers both September and October and was released last week. The APWG attributes the run-up in spoofed sites to fraudsters' use of multiple subdomains, an effort the group says is intended to foil computer filters, like those embedded in browser toolbars, that identify known phishing sites and display warnings to users. The phishers are “rapidly deploying variants [of URLs} that have not yet been added to the blocking lists or 'black lists' of phishing URLs,” the latest report says. The report says most of the subdomains were used in phishing assaults against “one frequently phished financial institution,” which the group does not name. As a result of this tactic and a new methodology the APWG now uses to sort out these variants, the group has re-stated the number of phishing sites for August, to 19,660 from 10,091. Even so, the population of fake sites spiraled upward 25% in September before surging again in October. The upsurge in phishing activity showed itself in other ways, as well. Internet fraudsters hijacked a record number of online brands in October, most of them banks and other financial-services companies. The list of such brands hit 176 in the month, breaking the previous record of 154, set in July. “Larger numbers of smaller banks and credit unions are being spoofed and subject to phishing attacks,” says the report. Meanwhile, the number of unique password-stealing applications, malicious code used by phishers to pick up sensitive information as users enter it, grew to a record 237, up from 216 in September, reversing a trend that had seen this number decline steadily to as low as 172 in August. The number of sites hosting this code, however, dropped to 1,800, the lowest number reported since February. A consortium of electronic payments networks, financial-services companies, software vendors, and law-enforcement agencies, the APWG has been tracking phishing trends for three years. In phishing frauds, criminals use e-mail messages dressed up with faked logos of trusted brands, such as those of major banks, to trick users into visiting sites where they can be induced to enter PINs or other information useful in online theft. The increase in this activity concerns banks, merchants, and other organizations that fear it could undermine consumer confidence in the online channel.
