New phishing season as scam numbers hit new high


19 Jan 2006

Reports of phishing attacks have reached an all-time high, up to 16,882 in November from 15,820 in October, according to new data released by Websense and the Anti Phishing Working Group (APWG).

The number of unique phishing sites reported has also increased by 6pc to 4,630 in November, the most recent month for which figures are available.

Phishing is a type of online identity theft that employs social engineering tactics to steal consumers’ personal identity data or financial account credentials. ‘Spoofed’ emails lead consumers to often elaborate counterfeit websites designed to trick recipients into divulging data such as account usernames or login codes.

Often such emails appear to come from banks, credit card issuers or online retailers. Those sending the email don’t actually have customer lists of a particular institution; the emails are sent out in such volume that there is a chance some people who receive them may be customers of that bank and may be fooled into replying.

Another element of phishing, according to the APWG, is technical subterfuge. This involves planting programs – so-called crimeware – onto PCs to steal people’s credentials directly. Sometimes criminals use key logging software to intercept consumers’ online account user names and passwords.

Some 93 brands were hijacked by phishing campaigns in November and the figures also showed that just six names accounted for 80pc of all phishing attempts. The financial services sector is overwhelmingly the most targeted industry sector with 90.3pc of the total, compared with just 2.2pc of attacks using the name of retail brands. “Interestingly we are seeing some larger financial institutions and internet retailers experiencing a renewed round of intense phishing attacks,” the report said. “We continue to see an increase in international phishing, particularly in the UK and Europe.”

One new attack cited by the APWG invoked Google.com. Users were redirected to a spoofed copy of the search engine front page with a large message claiming that they had won US$400. Users were presented with instructions for collecting their prize money that required entering a credit card number and a postal address. Once the information had been gathered, users were then seamlessly directed to Google’s legitimate website.

The APWG found that the average time for a typical phishing site to remain live is five and a half days and the longest recorded time is 30 days.

By Gordon Smith