Feeds

Phishers look to net small fry

Targeting US credit unions

  • alert
  • submit to reddit

Build a business case: developing custom apps

Online fraudsters have started targeting smaller banks and credit unions in hopes of fooling a larger percentage of customers, according to groups that monitor phishing activity.

Last week, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions has jumped significantly over the past few weeks. Users of the company's anti-phishing toolbar reported six new attacks in a 24-hour period earlier in the week.

"Phishers are catching on to the fact that it is easier to target small places," said Paul Mutton, Internet services developer for the firm. "It seems that phishers are diversifying."

Phishing scams use bulk email messages to target a large number of users. The messages appear to come from a legitimate financial institution or business. A common version of the scam informs the recipient that an account has been stolen or a charge placed on their credit card. The potential victim is asked to log into a site to verify their identity, but in reality the fraudsters hope to net the person's financial account information.

While larger banks and e-commerce sites have had to deal with the problem of online email scams targeting their customers - and even supermarkets have had the dubious honor of gaining the attention of fraudsters - for smaller banks and credit unions, it's still a relatively new experience.

The scourge of phishing has drawn the ire of not just customers, but of online vigilantes as well, some which deface the fake bank Web sites created by phishers.

The Honeynet Project, which places heavily monitored servers on the Internet to watch attackers' tactics, has seen an increase in phishing aimed at the clients of smaller financial institutions, said Thorsten Holz, a researcher with the German Honeynet Project.

"That's the direction that phishers are heading," he said. "Nowadays, many people know that phishers are hunting for Ebay and Paypal accounts, but many don't know that banks are a target."

Students and staff at the University of Michigan learned the lesson last fall, when an email message purportedly from a local bank lured several people into giving up their user names and passwords, said Linda Green, a spokeswoman for the University of Michigan's Information Technology Central Services department.

In May, when the credit union that serves the university was targeted with a similar attack, the ITCS staff sent out warnings, advised the credit union of the issue and convinced the local paper to cover the story. In the end, no one fell prey to the attack, nor when a third email popped up earlier this month, Green said.

"We feel that we have dodged the bullet this time," she said.

Last month, the customers at more than 30 credit unions became targets of phishing scams, according to data collected by the Antiphishing Working Group, an industry consortium that tracks the problem.

"Many of those attacks appear to be part of a toolkit or the same group of people, because they use the same techniques and wording, merely changing the target names," said Dan Hubbard, a member of the AWG's steering committee and the senior director for security at Internet threat monitor Websense.

May's burst of activity encompassed the most attacks yet aimed at smaller financial institutions, according to the AWG's data. Hubbard is not sure what is behind the increase, however. The countermeasures of larger banks may have diminished returns for the attackers, or the fraudsters may be able to transfer more money from credit unions before they catch on, he said.

"It is so economical and inexpensive to do this, perhaps they are experimenting to see what works best," Hubbard said.

Netcraft's Mutton believes that the customers of smaller banks and credit unions are more trusting and, thus, easier targets for phishing scams.

"You can send fewer emails and get a better response rate," he said.

University credit unions are particularly attractive targets, Mutton added, because attackers can easily generate a pool of likely customers by finding the email addresses of current students.

The University of Michigan's Green agreed, saying that keeping students aware of the issues is somewhat difficult, because every year a new batch of freshmen enter the colleges and have to be taught to be careful,

"We have 6,000 new students every fall," she said. "You don't ever get done educating them."

Related stories

Netcraft launches anti-phishing toolbar
Underground showdown: defacers take on phishers
Japanese 'Yahoo! phisher' arrested

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?