Feeds

Phishers look to net small fry

Targeting US credit unions

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Online fraudsters have started targeting smaller banks and credit unions in hopes of fooling a larger percentage of customers, according to groups that monitor phishing activity.

Last week, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions has jumped significantly over the past few weeks. Users of the company's anti-phishing toolbar reported six new attacks in a 24-hour period earlier in the week.

"Phishers are catching on to the fact that it is easier to target small places," said Paul Mutton, Internet services developer for the firm. "It seems that phishers are diversifying."

Phishing scams use bulk email messages to target a large number of users. The messages appear to come from a legitimate financial institution or business. A common version of the scam informs the recipient that an account has been stolen or a charge placed on their credit card. The potential victim is asked to log into a site to verify their identity, but in reality the fraudsters hope to net the person's financial account information.

While larger banks and e-commerce sites have had to deal with the problem of online email scams targeting their customers - and even supermarkets have had the dubious honor of gaining the attention of fraudsters - for smaller banks and credit unions, it's still a relatively new experience.

The scourge of phishing has drawn the ire of not just customers, but of online vigilantes as well, some which deface the fake bank Web sites created by phishers.

The Honeynet Project, which places heavily monitored servers on the Internet to watch attackers' tactics, has seen an increase in phishing aimed at the clients of smaller financial institutions, said Thorsten Holz, a researcher with the German Honeynet Project.

"That's the direction that phishers are heading," he said. "Nowadays, many people know that phishers are hunting for Ebay and Paypal accounts, but many don't know that banks are a target."

Students and staff at the University of Michigan learned the lesson last fall, when an email message purportedly from a local bank lured several people into giving up their user names and passwords, said Linda Green, a spokeswoman for the University of Michigan's Information Technology Central Services department.

In May, when the credit union that serves the university was targeted with a similar attack, the ITCS staff sent out warnings, advised the credit union of the issue and convinced the local paper to cover the story. In the end, no one fell prey to the attack, nor when a third email popped up earlier this month, Green said.

"We feel that we have dodged the bullet this time," she said.

Last month, the customers at more than 30 credit unions became targets of phishing scams, according to data collected by the Antiphishing Working Group, an industry consortium that tracks the problem.

"Many of those attacks appear to be part of a toolkit or the same group of people, because they use the same techniques and wording, merely changing the target names," said Dan Hubbard, a member of the AWG's steering committee and the senior director for security at Internet threat monitor Websense.

May's burst of activity encompassed the most attacks yet aimed at smaller financial institutions, according to the AWG's data. Hubbard is not sure what is behind the increase, however. The countermeasures of larger banks may have diminished returns for the attackers, or the fraudsters may be able to transfer more money from credit unions before they catch on, he said.

"It is so economical and inexpensive to do this, perhaps they are experimenting to see what works best," Hubbard said.

Netcraft's Mutton believes that the customers of smaller banks and credit unions are more trusting and, thus, easier targets for phishing scams.

"You can send fewer emails and get a better response rate," he said.

University credit unions are particularly attractive targets, Mutton added, because attackers can easily generate a pool of likely customers by finding the email addresses of current students.

The University of Michigan's Green agreed, saying that keeping students aware of the issues is somewhat difficult, because every year a new batch of freshmen enter the colleges and have to be taught to be careful,

"We have 6,000 new students every fall," she said. "You don't ever get done educating them."

Related stories

Netcraft launches anti-phishing toolbar
Underground showdown: defacers take on phishers
Japanese 'Yahoo! phisher' arrested

Internet Security Threat Report 2014

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.