The amount of Internet fraud perpetrated using a practice known as “phishing” increased 52 percent from December to January, according to the Anti-Phishing Working Group (APWG).
In January, there were 176 new, unique attack types reported to the group, compared with 116 in December, the organization revealed in its monthly “Phishing Attack Trends Report.”
Ruses involving eBay, an online auction outfit, were most common during the period, with 51 unique attack types designed to hijack the company’s brand, followed by Citibank, with 35, and America Online, with 34.
Where Money Is
Since the APWG, an industry group focused on eliminating phishing on the Internet, began compiling numbers on phishing attacks in November, eBay has been a leading target, according to director of communications Dan Meyer.
“If you add to that the attacks against eBay subsidiary PayPal, which are pretty darn significant, as an organization, they’re getting a lot of fraud thrown at them,” he told TechNewsWorld.
Asked why eBay is such a darling of phishers, Meyer responded, “It’s like that bank robber Willie Sutton said: ‘It’s where the money is.'”
Phishing involves the mass distribution of “spoofed” e-mail messages with return addresses, links and branding that appear to originate from banks, insurance agencies, retailers or credit card companies. The bogus messages are used to persuade recipients into divulging personal authentication data, such as account information, credit card or social security numbers, and PINs.
Phishers are recycling old con games from the analog world and mass marketing them thanks to digital communication, according to Rob Enderle, president and principal analyst of the Enderle Group in San Jose, California.
“The Internet has taken what had been a one-on-one con and allowed one person to hit 1,000, 5,000, 10,000 people all at once and find those five or six that are gullible, and it can be incredibly lucrative,” he told TechNewsWorld.
IE Flaw Exploited
Some 7.8 percent of January’s attacks exploited a security flaw in Microsoft Internet Explorer that allows a counterfeit Web location to appear on the Web browser’s address line, hiding the real URL. In other words, phishers could make a fake site designed to steal credit card numbers look exactly like PayPal’s site. The vulnerability was revealed by a Danish security firm in December. Microsoft recently released a software patch to close the flaw.
“One of the things that helped phishing along greatly was the Microsoft vulnerability,” Joe Telafici, director of operations for the antivirus emergency response team for Network Associates in Santa Clara, California, told TechNewsWorld.
But Meyer expects the open wound in IE to continue to be exploited by phishers. “The targets of a lot of these phishing attacks are consumers,” he explained. “How quickly do you expect consumers to apply this patch to their home computer’s browser? I wouldn’t expect that to happen too quickly.”
Those sentiments are born out by Telafici’s experience. “We are still seeing a pretty significant number of attempts to use that exploit in the field,” he said.
In what seems to be a growing trend, phishers are starting to attach malware to their pitches. The nefarious software contains “keyloggers” — secret applications that work in the background to monitor a computer user’s keystrokes and capture credit card, social security or other personal information, then clandestinely relay it to a party bent on fraud.
Myer recalled one enterprising phisher who, pretending to represent PayPal, sent a message to his target audience warning them about the proliferation of keyloggers on the Internet. To counteract that malware, the message recommended running the antikeylogging program attached to it, which, of course, was a program to install a keylogger on the victim’s system.
Threat to E-commerce
Although the attached-executable practice is still rare — only five attack types in January — it is growing. Only one such exploit type was reported in December, the group’s report said.
If phishing continues to grow, its ill effects could chill Internet commerce, according to Enderle.
“It creates an increasing perception of risk,” he said. “It also creates an amount of distrust where people are never going to be sure that they’re connected to the company that they think they’re connected to.
“The end result,” he continued, “is that people will stop doing e-commerce altogether because they’re just not used to this level of duplicity in any other kind of business, and it’s frightening for them.”