Phishing attacks increased 19 percent in June over May, according to a report released by the Anti-Phishing Working Group.
Of the 1,422 new unique attacks, 92 percent of them used forged, or “spoofed,” e-mail addresses. To somemembers of the working group, that fact reveals a crying need for sender authentication in all e-mail in order to limit both spam and phishing.
“Classic phishing attacks are dependent on normal e-mail as anattack medium,” the group’s Peter Cassidy told TechNewsWorld. “If you can slow down the volume of spam, you can slow down the number of successful hits that phishing attacks make.”
“Yahoo and Microsoft finally got together on Sender ID,” Cassidy said. “If that’s widely adopted it should cut down the number of raw spams allowed to traverse the Internet.”
The Phish Story
Phishing involves the mass distribution of “spoofed” e-mail messages with return addresses, links and branding which appear to originate from banks, insurance agencies, retailers or credit card companies.
The bogus messages can trick their recipients into divulging personal authentication data such as account information, credit card or social security numbers and PINs. Because the e-mails look genuine, recipients respond to them and become victims of identity theft and other fraudulent activity.
Phishing can also involve the planting of clandestine code on a computerfor filching information in real time through programs like key loggers.
Sender authentication will be very successful in getting rid of the “script kiddies,” but it won’t discourage more sophisticated phishers from their avocation, the working group’s Cassidy maintained. “What will happen is that the professionals will start bearing down on stuff that needs a greater degree of sophistication,” he said.
Signs of these more sophisticated phishing vehicles have already been discovered in the wild.
These vehicles use encryption to evade detection by antivirus software. Once nested on a computer, they begin logging keystrokes based on discrete events, such as accessing an online bank account. Then the logsare sent to a phisher without the computer operator’s knowledge.
“There has been a huge shift in phishing from last November to this summer in terms of how attacks are done,” Bill Franklin, president of 0Spam Network Corporation in Coral Gables, Florida, told TechNewsWorld.
“There weren’t any of these sophisticated attacks last fall,” Franklin said. “It would take a good four to six months” for a phishing attack to target a security gap. “Whereas now,” he said, “if a security exploit is observed, in two weeks — guaranteed — there’s going to be a virus and phishing attack that take advantage of that.”
According to the group’s report, the financial services sector remains the top target of phishers, garnering more than1,000 of the new unique attacks. Citibank alone amassed 492 attacks, a 32 percent jump from the previous month.
Financial Sector Fights Back
Because it has become a prime target of phishers, the industry has launched an initiative through the Financial Services Technology Consortium (FSTC) to define the full scope of the phishing problem and find new solutions to it.
“That’s the first of program of its kind to attack phishing specifically,” Cassidy noted.
“The FTSC project will be useful because it will be shared more broadly in the industry,” observed Jim Maloney, chief security executive at Corillian in Portland, Oregon, a provider of online banking solutions.
“It will give us a better idea of the full scope of the problem and the full range of solutions that can applied to it,” he told TechNewsWorld.