Phishers tapping botnets to automate attacks

Computer criminals are making phishing more potent by automating attacks. Anti-Phishing Working Group (APWG) analysts reckon fraudsters are using automated tools and botnets to ramp up attacks. It estimates attacks grew by an average of 36 per cent a month between July and October.

Scam emails that form the basis of phishing attacks often pose as 'security check' requests from well-known businesses. These messages attempt to trick users into handing over their account details and passwords to bogus sites. The details collected this way are used for credit card fraud and identity theft. First seen more than a year ago, phishing emails are becoming increasingly sophisticated, directing users to bogus websites which accurately reproduce the look and feel of legitimate sites.

Home PCs used to host baiting sites

In October, there were 6597 new, unique phishing email messages reported to the APWG, compared to 2158 such reports in August. The number of active baiting sites reported to the APWG in October was 1142, 25 per cent up on September, targeting customers of 44 brands. According to the working group, fraudulent sites were online for an average of 6.4 days. The number of phishing sites hosted on compromised broadband PC rose by more than 50 per cent.

APWG reports an explosion of phishing activity at the start of October. "Starting on the afternoon of 5 October, we started seeing a massive increase in the amount of phishing sites. Evidence indicated that the phishing exploits were not targeting one particular brand, but several targeted simultaneously. The one common theme of these phishing sites is that nearly all are being hosted on IP addresses and mostly outside of the US," the report states.

"It appears as though some sort of toolkit is available and/or a set of tools that are being used to produce similar exploits. The sudden large spike may, however, indicate that some automation may be involved. We are also seeing multiple brands being spoofed from the same machine over a few days. For example a site will be an eBay spoof one day, and then Paypal, then Citbank, etc. The content of the attacks is quite varied."

The US is home to the majority of these baiting sites, hosting 29 per cent of those reported to the APWG in October, a slight decrease over the month. China, Korea, and Russia are next on the list with 16 per cent, nine per cent, and eight per cent respectively of the total sites hosted. APWG's report, jointly written by security researchers at Websense and Tumbleweed Communications, is available here (PDF).

Let's factor out phishing

Services to monitor phishing attacks, allowing targeted sites to respond more quickly, or browser add-ons (such as Comodo's Verification Engine) that allow consumers to detect fraudulent sites have been developed by security firms to tackle the problem. One promising approach is to apply two-factor authentication, long a mainstay of corporate remote access, to internet banking. Swiss and Scandinavian banks have been using this approach for some time but use of the technique is rare in the US and UK, for example.

Earlier this month two New Zealand banks - ASB and Bank Direct - set up a service to provide two-factor authentication with text messages to their customers mobile phones to authorise transactions over $2500. The service, called Netcode, uses technology from RSA Security. Independent security experts think the idea shows considerable promise.

"The scheme is elegant, simple to use, cost-effective and requires no new hardware outlay," said Pete Simpson, ThreatLab Manager at security firm CLEARSWIFT. "This will thwart phishers who lure victims to fake websites and will defeat those that surf to the real site and display impostor popups for input of credentials. Clearly, those older attacks using HTML forms in the email are also dead-in-the-water." ®

Related stories

Phishing for dummies: hook, line and sinker
Botnets trawl for phishing victims
UK preps major security awareness campaign
Four charged in landmark UK phishing case
UK banks launch anti-phishing website