| Phishers
tapping botnets to automate attacks
Computer
criminals are making phishing more potent
by automating attacks. Anti-Phishing
Working Group (APWG) analysts reckon
fraudsters are using automated tools
and botnets to ramp up attacks. It estimates
attacks grew by an average of 36 per
cent a month between July and October.
Scam e-mails
that form the basis of phishing attacks
often pose as 'security check' requests
from well-known businesses. These messages
attempt to trick users into handing
over their account details and passwords
to bogus sites. The details collected
this way are used for credit card fraud
and identity theft. First seen more
than a year ago, phishing e-mails are
becoming increasingly sophisticated,
directing users to bogus websites that
accurately reproduce the look and feel
of legitimate sites.
Home
PCs used to host baiting sites
In October,
there were 6597 new, unique phishing
e-mail messages reported to the APWG,
compared to 2158 such reports in August.
The number of active baiting sites reported
to the APWG in October was 1142, 25
per cent up on September, targeting
customers of 44 brands. According to
the working group, fraudulent sites
were online for an average of 6.4 days.
The number of phishing sites hosted
on compromised broadband PC rose by
more than 50 per cent.
APWG reports
an explosion of phishing activity at
the start of October. "Starting
on the afternoon of 5 October, we started
seeing a massive increase in the amount
of phishing sites. Evidence indicated
that the phishing exploits were not
targeting one particular brand, but
several targeted simultaneously. The
one common theme of these phishing sites
is that nearly all are being hosted
on IP addresses and mostly outside of
the US ," the report states.
"It
appears as though some sort of toolkit
is available and/or a set of tools that
are being used to produce similar exploits.
The sudden large spike may, however,
indicate that some automation may be
involved. We are also seeing multiple
brands being spoofed from the same machine
over a few days. For example a site
will be an eBay spoof one day, and then
Paypal, then Citbank, etc. The content
of the attacks is quite varied."
The US
is home to the majority of these baiting
sites, hosting 29 per cent of those
reported to the APWG in October, a slight
decrease over the month. China , Korea
, and Russia are next on the list with
16 per cent, nine per cent, and eight
per cent respectively of the total sites
hosted. APWG's report is jointly written
by security researchers at Websense
and Tumbleweed Communications.
Let's
factor out phishing
Services
to monitor phishing attacks, allowing
targeted sites to respond more quickly,
or browser add-ons (such as Comodo's
Verification Engine) that allow consumers
to detect fraudulent sites have been
developed by security firms to tackle
the problem. One promising approach
is to apply two-factor authentication,
long a mainstay of corporate remote
access, to Internet banking. Swiss and
Scandinavian banks have been using this
approach for some time but use of the
technique is rare in the US and UK ,
for example.
Earlier
this month two New Zealand banks - ASB
and Bank Direct - set up a service to
provide two-factor authentication with
text messages to their customers mobile
phones to authorise transactions over
$2500. The service, called Netcode,
uses technology from RSA Security.
Independent security experts think the
idea shows considerable promise.
"The
scheme is elegant, simple to use, cost-effective
and requires no new hardware outlay,"
said Pete Simpson, ThreatLab Manager
at security firm CLEARSWIFT. "This
will thwart phishers who lure victims
to fake websites and will defeat those
that surf to the real site and display
impostor popups for input of credentials.
Clearly, those older attacks using HTML
forms in the e-mail are also dead-in-the-water."
By
John
Leyden ,
reproduced from The
Register, www.theregister.co.uk
|
