Feeds

Phishers look to net small fry

Targeting US credit unions

  • alert
  • submit to reddit

Seven Steps to Software Security

Online fraudsters have started targeting smaller banks and credit unions in hopes of fooling a larger percentage of customers, according to groups that monitor phishing activity.

Last week, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions has jumped significantly over the past few weeks. Users of the company's anti-phishing toolbar reported six new attacks in a 24-hour period earlier in the week.

"Phishers are catching on to the fact that it is easier to target small places," said Paul Mutton, Internet services developer for the firm. "It seems that phishers are diversifying."

Phishing scams use bulk email messages to target a large number of users. The messages appear to come from a legitimate financial institution or business. A common version of the scam informs the recipient that an account has been stolen or a charge placed on their credit card. The potential victim is asked to log into a site to verify their identity, but in reality the fraudsters hope to net the person's financial account information.

While larger banks and e-commerce sites have had to deal with the problem of online email scams targeting their customers - and even supermarkets have had the dubious honor of gaining the attention of fraudsters - for smaller banks and credit unions, it's still a relatively new experience.

The scourge of phishing has drawn the ire of not just customers, but of online vigilantes as well, some which deface the fake bank Web sites created by phishers.

The Honeynet Project, which places heavily monitored servers on the Internet to watch attackers' tactics, has seen an increase in phishing aimed at the clients of smaller financial institutions, said Thorsten Holz, a researcher with the German Honeynet Project.

"That's the direction that phishers are heading," he said. "Nowadays, many people know that phishers are hunting for Ebay and Paypal accounts, but many don't know that banks are a target."

Students and staff at the University of Michigan learned the lesson last fall, when an email message purportedly from a local bank lured several people into giving up their user names and passwords, said Linda Green, a spokeswoman for the University of Michigan's Information Technology Central Services department.

In May, when the credit union that serves the university was targeted with a similar attack, the ITCS staff sent out warnings, advised the credit union of the issue and convinced the local paper to cover the story. In the end, no one fell prey to the attack, nor when a third email popped up earlier this month, Green said.

"We feel that we have dodged the bullet this time," she said.

Last month, the customers at more than 30 credit unions became targets of phishing scams, according to data collected by the Antiphishing Working Group, an industry consortium that tracks the problem.

"Many of those attacks appear to be part of a toolkit or the same group of people, because they use the same techniques and wording, merely changing the target names," said Dan Hubbard, a member of the AWG's steering committee and the senior director for security at Internet threat monitor Websense.

May's burst of activity encompassed the most attacks yet aimed at smaller financial institutions, according to the AWG's data. Hubbard is not sure what is behind the increase, however. The countermeasures of larger banks may have diminished returns for the attackers, or the fraudsters may be able to transfer more money from credit unions before they catch on, he said.

"It is so economical and inexpensive to do this, perhaps they are experimenting to see what works best," Hubbard said.

Netcraft's Mutton believes that the customers of smaller banks and credit unions are more trusting and, thus, easier targets for phishing scams.

"You can send fewer emails and get a better response rate," he said.

University credit unions are particularly attractive targets, Mutton added, because attackers can easily generate a pool of likely customers by finding the email addresses of current students.

The University of Michigan's Green agreed, saying that keeping students aware of the issues is somewhat difficult, because every year a new batch of freshmen enter the colleges and have to be taught to be careful,

"We have 6,000 new students every fall," she said. "You don't ever get done educating them."

Related stories

Netcraft launches anti-phishing toolbar
Underground showdown: defacers take on phishers
Japanese 'Yahoo! phisher' arrested

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.