As one of the top cyber crime ploys impacting both consumers and businesses, phishing has grown in volume and sophistication over the past several years. The down economy is providing a breeding ground for new, socially-engineered attempts to defraud unsuspecting business people and consumers. With honest money-earning avenues less available, the cyber crime ecosystem is ready with off-the-shelf phishing kits. It no longer takes a hacker to enable and commit fraud on the Internet — anyone with a motive can join in. The potential impact on a business can be great — whether an employee or its customers have been phished, or the company Web site has been compromised. Organizations need to stay current on the latest methods employed by cyber criminals and proactively take steps to prevent this type of fraud. This fraud alert highlights the current growth and trends in today’s phishing schemes, the potential impact on companies, and insight into how businesses can apply technology to protect themselves and their customers.
+ Phishing Knows No Limits
Phishing — luring unsuspecting users to provide sensitive information for identity or business theft — is a serious threat for both consumers and businesses. In the last decade since phishing arrived on the scene, this fraud method has been growing rapidly, with one estimate citing approximately 8 million daily phishing attempts worldwide. The Anti-Phishing Working Group (APWG) reported that unique phishing attacks submitted to APWG rose 13 percent during the second quarter of 2008 to more than 28,000.2 It also reported that, during the same period, the number of malware-spreading URLs infecting PCs with password-stealing code rose to a new record of more than 9,500 sites — a 258% increase compared with the same quarter in 2007. Figure 1 shows one area of phishing — spear phishing — and its growth over a 16-month period.
+ Be Aware of the Latest Phishing Schemes Spear Phishing
Targeted versions of phishing, called spear phishing, have emerged over the past several years. While common phishing is indiscriminate in its targets, spear phishing targets are known customers of a specific bank, mortgage provider, or other type of organization. Consumers aren’t the only targets of spear phishing. Increasingly, corporate employees are being targeted by savvy criminals. In these attacks, the goal is to gain access to corporate banking information, customer databases, and other information to facilitate cyber crime. According to VeriSign iDefense, spear phishing against corporations reached new heights during April and May 2008. Many of these attacks target senior executives and other high-profile individuals. The victim counts from these attacks is staggering — over 15,000 corporate users in 15 months. Victims include Fortune 500 companies, government agencies, financial institutions and legal firms.
Business Services Phishing
In addition to spear phishing targeted at employees, there have been recent schemes targeting businesses using services such as Yahoo! or Google AdWords. PhishTank reported that AdWords customers were sent e-mails alerting them that their accounts required updating. The account holder was encouraged to log into the spoofed AdWords interface and then provide credit card information.4 With many small and mid-size companies relying on online advertising to drive traffic to their sites, their marketing managers could be easy prey for this type of phishing scam.
Phishing that Plays on Economic Fears
Today’s economic turmoil delivers unprecedented opportunities for criminals to exploit victims. For instance, popular scams include phishing e-mails that look like they are coming from a financial institution that recently acquired the target victim’s bank, savings & loan, or mortgage holder.5 The large amount of merger and acquisition activity taking place creates an atmosphere of confusion for consumers, exacerbated by the dearth of consistent communications with customers. Phishers thrive in this type of situation.
Blended Phishing/Malware Threats
To increase success rates, some attacks combine phishing with malware for a blended attack model. For instance, a potential victim receives a phishing e-card via e-mail that appears to be legitimate. By clicking on the link inside the e-mail to receive the card, the person is taken to a spoofed Web site which downloads a Trojan to the victim’s computer. Alternatively, the victim may see a message that indicates a download of updated software is needed before the victim can view the card. When the victim downloads the software, it’s actually a keylogger.
Fraud Alert: Phishing — The Latest Tactics and Potential Business Impact
4/
5
Oleh
Sepeda ��