Industry Watch : phishing reaches epidemic levels

 

A report from analyst Gartner found that phishing attacks in the US claimed 3.6 million victims in 2007 up from 2.3 million in the previous year. These attacks netted criminals $3.2 billion, with their favored weapon of choice being debit cards. Of consumers who had received phishing emails in 2007, 3.3 per cent lost money because of the attack, compared with 2.3 percent in 2006, and 2.9 percent in 2005.

 

"Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops," said Avivah Litan, vice president at Gartner. "Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage. These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks."

 

The growth of phishing is not just a US phenomenon, it is a worldwide problem. The annual threat analysis released by email filtering company MessageLabs reported that the number of phishing emails almost doubled in 2007, with 1 in 156 messages containing a phishing attack. It says that phishing attacks now account for two-thirds of all malware attacks, with phishers widening their range of targets from just defrauding international banks and financial institutions to also targeting smaller banks and even credit unions.

 

This diversification is backed up by the most recent report from the Anti-Phishing Workgroup (http://www.antiphishing.org/) (APWG). It said that November 2007 saw the highest number of hijacked brands it has recorded in a single month with 178 discrete corporate identities targeted. Many of these new targets are financial services companies in Europe and the Middle East.

 

 

One of the reasons for the increase in the number of attacks, says MessageLabs, was the emergence in early 2007 of do-it-yourself phishing kits that lower the bar for entry into the market. However, it's not just the volume of phishing attacks that alarms security analysts, of perhaps bigger concern is that attacks are becoming more targeted. Phishing emails are frequently correctly addressed and refer to institutions with which the victim actually has a relationship. Information such as this can be gleaned from the profusion of personal data on the Internet, often willingly provided by users to social networking sites. Inevitably these sophisticated attacks are much more successful in ensnaring their victims.

 

Debit cards have become popular amongst fraudsters, because fraud checking is often not as rigorous as with credit cards. "Fraud detection and authentication systems deployed widely in online banking are already a step behind fraudsters' latest techniques and must be updated to guard against browser hijackings, 'man in the middle', and other hidden malware-based attacks often delivered to users through phishing emails," says Gartner's Litan.

 

Although financial services continues to be the most targeted industry and represented nearly 94% of attacks in November 2007, APWG has identified a new wave of phishing aimed at executives in order to gain access to corporate data. “We are seeing executives of companies receiving specially targeted emails that attempt to do two things: first, install malware to give the phisher access to the corporations' systems and second, gain access to the corporations' bank accounts,” explains Laura Mather, Senior Scientist at MarkMonitor and Managing Director of Operational Policy for APWG.

 

Enterprises need to take a three-pronged approach against phishing. The first is to protect themselves from direct attacks on corporate data by using anti-phishing, anti-virus and anti-spyware to detect and stop malware-based attacks. The second is to prevent their brands being used in phishing attacks by using an anti-phishing solution, which should detect whether their customers are under specific attack and prevent it from spreading. Finally, companies, particularly those in financial services, need to strengthen account security, including user authentication, transaction verification and fraud detection, to minimize the impact of any phishing attack.

 

The threat of phishing is not going away and most security analysts believe that it will still get worse. Only by using the protection methods described above can enterprises protect their customers, employees and brand from the threat of phishing.