Feeds

Phishers look to net small fry

Targeting US credit unions

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Online fraudsters have started targeting smaller banks and credit unions in hopes of fooling a larger percentage of customers, according to groups that monitor phishing activity.

Last week, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions has jumped significantly over the past few weeks. Users of the company's anti-phishing toolbar reported six new attacks in a 24-hour period earlier in the week.

"Phishers are catching on to the fact that it is easier to target small places," said Paul Mutton, Internet services developer for the firm. "It seems that phishers are diversifying."

Phishing scams use bulk email messages to target a large number of users. The messages appear to come from a legitimate financial institution or business. A common version of the scam informs the recipient that an account has been stolen or a charge placed on their credit card. The potential victim is asked to log into a site to verify their identity, but in reality the fraudsters hope to net the person's financial account information.

While larger banks and e-commerce sites have had to deal with the problem of online email scams targeting their customers - and even supermarkets have had the dubious honor of gaining the attention of fraudsters - for smaller banks and credit unions, it's still a relatively new experience.

The scourge of phishing has drawn the ire of not just customers, but of online vigilantes as well, some which deface the fake bank Web sites created by phishers.

The Honeynet Project, which places heavily monitored servers on the Internet to watch attackers' tactics, has seen an increase in phishing aimed at the clients of smaller financial institutions, said Thorsten Holz, a researcher with the German Honeynet Project.

"That's the direction that phishers are heading," he said. "Nowadays, many people know that phishers are hunting for Ebay and Paypal accounts, but many don't know that banks are a target."

Students and staff at the University of Michigan learned the lesson last fall, when an email message purportedly from a local bank lured several people into giving up their user names and passwords, said Linda Green, a spokeswoman for the University of Michigan's Information Technology Central Services department.

In May, when the credit union that serves the university was targeted with a similar attack, the ITCS staff sent out warnings, advised the credit union of the issue and convinced the local paper to cover the story. In the end, no one fell prey to the attack, nor when a third email popped up earlier this month, Green said.

"We feel that we have dodged the bullet this time," she said.

Last month, the customers at more than 30 credit unions became targets of phishing scams, according to data collected by the Antiphishing Working Group, an industry consortium that tracks the problem.

"Many of those attacks appear to be part of a toolkit or the same group of people, because they use the same techniques and wording, merely changing the target names," said Dan Hubbard, a member of the AWG's steering committee and the senior director for security at Internet threat monitor Websense.

May's burst of activity encompassed the most attacks yet aimed at smaller financial institutions, according to the AWG's data. Hubbard is not sure what is behind the increase, however. The countermeasures of larger banks may have diminished returns for the attackers, or the fraudsters may be able to transfer more money from credit unions before they catch on, he said.

"It is so economical and inexpensive to do this, perhaps they are experimenting to see what works best," Hubbard said.

Netcraft's Mutton believes that the customers of smaller banks and credit unions are more trusting and, thus, easier targets for phishing scams.

"You can send fewer emails and get a better response rate," he said.

University credit unions are particularly attractive targets, Mutton added, because attackers can easily generate a pool of likely customers by finding the email addresses of current students.

The University of Michigan's Green agreed, saying that keeping students aware of the issues is somewhat difficult, because every year a new batch of freshmen enter the colleges and have to be taught to be careful,

"We have 6,000 new students every fall," she said. "You don't ever get done educating them."

Related stories

Netcraft launches anti-phishing toolbar
Underground showdown: defacers take on phishers
Japanese 'Yahoo! phisher' arrested

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.