Part 1 of this two-part series examined the effects phishing can have on a business as phishers target smaller businesses. Part 2 looks at its impact on Web users.
If one were to look for sure bets in the online world, phishing would be right up there on the growing list of security concerns. The art of phishing has been a remarkable study in technology innovation. It started as a simple means of luring unsuspecting consumers to visit bogus Web sites to capture basic credit card information.
Now it’s a highly sophisticated practice that’s growing exponentially — and attracting some very nasty, very organized players in the process. And it’s only going to get worse.
Phishing typically involves sending out a spoofed (spam) e-mail that mimics an e-mail from a legitimate and organization. The message lures the recipient to click on a link to update account information or view a promotion. The link takes the person to a counterfeit Web site where they are asked to provide personal information that is used for the purposes of identity theft.
Rapid Growth and Innovative Thinking
“We really started noticing an uptick in phishing around 2004. By 2006, it was in full swing and [has] been growing steadily ever since. There have been a lot of innovators in the phishing world,” said Zulfikar Ramzan, technical director for the security technology and response division for Symantec. Currently, Symantec blocks several billion phishing e-mails each year, and the numbers just keep on growing, he said.
Phishers are not only more prolific, they are also casting a wider net, with the targets moving beyond large players like the major financial institutions to smaller banks and other types of businesses. “We saw a big spike in smaller banks being targeted in late 2006,” Ramzan told TechNewsWorld. “The move to smaller banks came about because the larger ones had invested a lot more dollars in back-end protection, so it became more lucrative to attack more vulnerable targets.”
Smaller banks were definitely getting caught off guard as attacks started to make their way into their territory, Avivah Litan, an analyst with Gartner, told TechNewsWorld. “Many don’t have the [detection and protection] mechanisms in place, so phishing moved downstream.”
An interesting statistic of note is that 14 entities represent 90 percent of phishing attacks. Twelve of those are banks (six U.S.-based, six UK-based), according to MarkMonitor, a San Francisco-based brand protection firm.
What’s more interesting, however, is that financial institutions — along with a couple of payment processing and auction-style sites — once accounted for almost all attacks. Now the phishers are broadening their focus.
“We have moved from virtually no non-financial targets to 10 percent, which means there is much greater diversity in the targets,” Frederick Felman, chief marketing officer for MarkMonitor, told TechNewsWorld. “Last quarter, more than 400 organizations were phished, and 100 of those were new. We’ve also seen some big consumer-facing SaaS (Software as a Service) providers being hit, from tax preparation and accounting to social networking services.”
As it stands today, 34 percent of attacks are U.S.-based, 15 percent from Asian countries (Hong Kong, Korea and Thailand in that order), and 8 percent are from the Russian Federation, according to MarkMonitor. The number of organizations being phished has increased from 150 a month in December of 2006 to 250 a month as of March 2008, and has peaked as high as 275 a month.
The targets are spreading, antiphishing specialists Cyveillance statistics confirm. More than 100 organizations were phishing targets for the first time in the fourth quarter of 2007, it reports. That represents an 11 percent increase in the number of new brands attacked over the previous quarter.
New Phish Tales
Not only are the numbers on the rise, attackers are doing a lot more clever social engineering to gain access to people’s personal information, Litan says. “Now phishing has moved beyond putting URLs (uniform resource locators) in e-mails to putting malware in attachments that can do all kinds of bad things when you log into your browser, like recording keystrokes and capturing information put on the screen. That’s a lot more difficult than generic phishing attacks that simply ask users to provide information,” she added.
“The malware thing is the gift that just keeps on giving,” Felman confirms. “You get this crud on your machine and it sits there getting passwords. Sometimes [the attack is] focused on a particular bank. It’s really ugly for the consumer — and a great opportunity for an abuser.”
New entrants to the phishing vocabulary include “spear phishing,” a practice that targets specific individuals within a company. More adventurous perpetrators are even trying their hand at compromising voice and messaging applications using practices that have euphemistically labeled “vishing” and “smishing.” Then there is the rapidly evolving practice of “rock phishing,” a particularly nasty piece of work that’s as difficult to eradicate as an infestation of insects.
The Trials of Take Downs
All of these new tricks are making it exponentially more difficult to stop the onslaught. For those antiphishing services that make detection and take down a part of their everyday existence, taking care of business is a veritable rat’s maze of detective work, jurisdictional red tape and good old-fashioned legwork.
Some jobs are easier than others. A one-off attack, for example, is simply a matter of tracking down the source of the site and notifying an ISP (Internet service provider) to take the site down. However, fraudsters are increasingly moving to less “friendly” jurisdictions that may turn a blind eye to entreaties. China is the fastest-growing haven for attacks — especially malware-based ones, according to James Brooks, director of product management for Cyveillance. “Given the numerous bureaucratic issues, it can be difficult to shut them down,” he said.
“It’s not just a matter of finding them,” Litan says. “Sometimes they’re coming from botnets, which are like cockroaches. In those cases you have to find the masters — and those can be hidden somewhere in an old church basement or some place else where no one is minding the store. Sometimes it’s in an unfriendly foreign country.”
Often the task involves intense negotiations with several countries. “That makes it substantially more difficult to handle because it involves pure legwork and multiple take downs,” Brooks says. It also demands the ability to communicate in the right language.
We can expect more of the same, with a few variations along the way, says Felman. “Expect targets to be broader, attacks more diverse and the growth in activities such as vishing and smishing. It’s not going to get any easier.”
Another up-and-coming phishing hole will be social networking sites, says Ramzan. “We’re expecting a big rise in sites getting attacked to launch malicious software. When it comes to phishing, attackers generally follow the money.”