Security experts are warning that automated software and compromised computers used to pass on malicious e-mail or host rogue, information-stealing Web sites are feeding fraud on the Internet.
The Anti-Phishing Working Group (APWG), a consortium of security experts looking to analyze the online fraud known as phishing — whereby users are directed via e-mail to malicious sites that steal personal and financial information — highlighted the issue in a report this week.
The group reported “massive increases” in the number of sites used for phishing scams, adding that automation and an increasing number of compromised, broadband Internet connections are the likely cause of the rise.
While the group said “a new and powerful set of tools” recently deployed by attackers could explain the phishing increase, iDefense director of malicious code intelligence Ken Dunham told TechNewsWorld the problem is only now being fully recognized.
“Phishing is really a small component of a much bigger fraud picture,” Dunham said. “(Internet) fraud has been on the increase for the last 18-24 months and the reason is that money is the motive. There’s money to be made and the criminals have known about it for a long time.”
Echoing the findings of the APWG — which said attackers are using new software tools and so-called “Bot nets” of compromised computers to reach victims — Dunham said the convergence of viruses and spamming was a troubling trend.
Year of Convergence
“2004 should be called the year of convergence, because we see technologies and techniques coming together for more successful attacks and fraud,” he said.
Dunham added with the sophistication and stealth of backdoor Trojans and other malicious software, it is hard for PC users to know if they are being compromised or used in some kind of attack or fraud.
Message Labs senior antivirus technologist Alex Shipp — whose company warned earlier this month of an automated phishing attack designed to capture online banking details when users opened an e-mail without requiring a link — agreed that the attacks are simultaneously becoming more dangerous and inconspicuous.
While the automated phishing attack had limited reach and was generally seen as a “proof-of-concept” effort, it also laid the groundwork for attackers to improve the approach.
“This latest technique demonstrates how phishing attacks could become increasingly difficult for end users and online organizations alike to protect against,” Shipp said. “By reducing the need for user intervention, the perpetrators are making it easier to dupe users into handing over the contents of their bank accounts.”
Big Brands and Beyond
The APWG report, authored by Websense and Tumbleweed Communications, indicated that the number of brands used for bogus phishing efforts — eBay, PayPal, Microsoft, and others for example — is also increasing. The group said it gave greater focus to the server side of phishing attacks, but indicated more and more company trademarks are likely to be used as the basis of fraud.
Dunham agreed, telling TechNewsWorld that while the bigger-name companies are more likely to be used in phishing attacks, any company providing online services should expect a phishing attack with its brand in 2005.
“If there is money to be made there, other companies will be hit,” Dunham said.
Trying to Net Phishing
Security experts consistently point to the limited impact of phishing scams because malicious sites are typically taken down quickly. However, the APWG report indicated that most phishing sites were being hosted outside of the U.S., complicating the crackdown on phishing sites.
Dunham, who indicated fraudsters are using “multi-staged, sequential attacks” and setting up larger numbers of phishing sites, said there is still a need to respond faster.
“We’ve got to figure out a way to shut down a hostile Web site faster and a way to identify them,” he said.