Feeds

Phishers tapping botnets to automate attacks

Is your PC hosting a bank fraud site?

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Computer criminals are making phishing more potent by automating attacks. Anti-Phishing Working Group (APWG) analysts reckon fraudsters are using automated tools and botnets to ramp up attacks. It estimates attacks grew by an average of 36 per cent a month between July and October.

Scam emails that form the basis of phishing attacks often pose as 'security check' requests from well-known businesses. These messages attempt to trick users into handing over their account details and passwords to bogus sites. The details collected this way are used for credit card fraud and identity theft. First seen more than a year ago, phishing emails are becoming increasingly sophisticated, directing users to bogus websites which accurately reproduce the look and feel of legitimate sites.

Home PCs used to host baiting sites

In October, there were 6597 new, unique phishing email messages reported to the APWG, compared to 2158 such reports in August. The number of active baiting sites reported to the APWG in October was 1142, 25 per cent up on September, targeting customers of 44 brands. According to the working group, fraudulent sites were online for an average of 6.4 days. The number of phishing sites hosted on compromised broadband PC rose by more than 50 per cent.

APWG reports an explosion of phishing activity at the start of October. "Starting on the afternoon of 5 October, we started seeing a massive increase in the amount of phishing sites. Evidence indicated that the phishing exploits were not targeting one particular brand, but several targeted simultaneously. The one common theme of these phishing sites is that nearly all are being hosted on IP addresses and mostly outside of the US," the report states.

"It appears as though some sort of toolkit is available and/or a set of tools that are being used to produce similar exploits. The sudden large spike may, however, indicate that some automation may be involved. We are also seeing multiple brands being spoofed from the same machine over a few days. For example a site will be an eBay spoof one day, and then Paypal, then Citbank, etc. The content of the attacks is quite varied."

The US is home to the majority of these baiting sites, hosting 29 per cent of those reported to the APWG in October, a slight decrease over the month. China, Korea, and Russia are next on the list with 16 per cent, nine per cent, and eight per cent respectively of the total sites hosted. APWG's report, jointly written by security researchers at Websense and Tumbleweed Communications, is available here (PDF).

Let's factor out phishing

Services to monitor phishing attacks, allowing targeted sites to respond more quickly, or browser add-ons (such as Comodo's Verification Engine) that allow consumers to detect fraudulent sites have been developed by security firms to tackle the problem. One promising approach is to apply two-factor authentication, long a mainstay of corporate remote access, to internet banking. Swiss and Scandinavian banks have been using this approach for some time but use of the technique is rare in the US and UK, for example.

Earlier this month two New Zealand banks - ASB and Bank Direct - set up a service to provide two-factor authentication with text messages to their customers mobile phones to authorise transactions over $2500. The service, called Netcode, uses technology from RSA Security. Independent security experts think the idea shows considerable promise.

"The scheme is elegant, simple to use, cost-effective and requires no new hardware outlay," said Pete Simpson, ThreatLab Manager at security firm CLEARSWIFT. "This will thwart phishers who lure victims to fake websites and will defeat those that surf to the real site and display impostor popups for input of credentials. Clearly, those older attacks using HTML forms in the email are also dead-in-the-water." ®

Related stories

Phishing for dummies: hook, line and sinker
Botnets trawl for phishing victims
UK preps major security awareness campaign
Four charged in landmark UK phishing case
UK banks launch anti-phishing website

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.