NEWS The phenomenon of phishing attacks, which were the security story of 2004, continues to flourish unchecked while other threats have been stealing the headlines.
According to the Anti-Phishing Working Group (APWG) there are still month-on-month increases in the number of unique attacks. February saw a 2 per cent increase on January with 13,141 unique emails in mass circulation.
Although these figures are down on the boom period of growth in phishing scams which came in mid-2004 the fact the total number shows little sign of decreasing is certainly cause for concern.
Like other threats, part of the problem is the tendency for the scams to evolve faster than awareness and solutions.
Mark Murtagh, technical director EMEA at Websense, told silicon.com: "We saw a real evolution and explosion in phishing in the second half of last year and now there has been a real shift in the way people are targeted."
The APWG reported the number of live phishing websites during February was 2,625. Since last July this has risen at an average of 28 per cent per month.
In their wake these sites ambushed 64 different brands over the course of the month – most commonly high-transaction sites such as eBay, PayPal and major banks. Only six brands accounted for the top 80 per cent of phishing campaigns.
"While the major brands still account for 80 per cent of the phishing attacks it is the other 20 per cent which are the most interesting. We are seeing a shift towards smaller ecommerce companies and regional banks. We're also seeing a real evolution in the way users are targeted."
Murtagh said less action on the part of the recipient and more covert infection are becoming common. Most worrying is the DNS poisoning of an infected PC which enables 'pharming'. Users who have been infected will be caught the next time they try to visit the real target website.
Users may actually type www.eBay.com into their address bar but if they are infected then they may well be directed to a website that looks like eBay, acts like eBay and even says it is eBay. But it isn't eBay.
The most common country hosting phishing websites is the US and the average length of time the sites remain online is just 5.7 days, though the longest was 30 days.
Comments
There is 1 comment. Join the discussion
1. anonymous
Whilst we, as end users can do everything we can to prevent phishing, such as never revealing passwords, sensitive information etc, there is ABSOLUTELY NOTHING we can do if you type in a site and are redirected by that site to a phoney site.
This could be as simple as a cookie (which some sites insist on), which redirects you. So when you type in Ebay, you are directed to a phishing site.
In my mind, if the end user takes EVERY reasonable precaution against Phishing, then, if caught, they should not be liable in any way, shape or form and should not only be refunded in full, but also be awarded damages and compensation for their loss, as it is not their fault.
If governments sat up and said that the organisation (EBay, Paypal, Bank etc) is responsible for reimbursing victims, then perhaps something would be done about it. Until then, "Sorry user, Not your fault, but you lose"