Phishers look to net small fry

Targeting US credit unions

For Sale sign detail

Online fraudsters have started targeting smaller banks and credit unions in hopes of fooling a larger percentage of customers, according to groups that monitor phishing activity.

Last week, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions has jumped significantly over the past few weeks. Users of the company's anti-phishing toolbar reported six new attacks in a 24-hour period earlier in the week.

"Phishers are catching on to the fact that it is easier to target small places," said Paul Mutton, Internet services developer for the firm. "It seems that phishers are diversifying."

Phishing scams use bulk email messages to target a large number of users. The messages appear to come from a legitimate financial institution or business. A common version of the scam informs the recipient that an account has been stolen or a charge placed on their credit card. The potential victim is asked to log into a site to verify their identity, but in reality the fraudsters hope to net the person's financial account information.

While larger banks and e-commerce sites have had to deal with the problem of online email scams targeting their customers - and even supermarkets have had the dubious honor of gaining the attention of fraudsters - for smaller banks and credit unions, it's still a relatively new experience.

The scourge of phishing has drawn the ire of not just customers, but of online vigilantes as well, some which deface the fake bank Web sites created by phishers.

The Honeynet Project, which places heavily monitored servers on the Internet to watch attackers' tactics, has seen an increase in phishing aimed at the clients of smaller financial institutions, said Thorsten Holz, a researcher with the German Honeynet Project.

"That's the direction that phishers are heading," he said. "Nowadays, many people know that phishers are hunting for Ebay and Paypal accounts, but many don't know that banks are a target."

Students and staff at the University of Michigan learned the lesson last fall, when an email message purportedly from a local bank lured several people into giving up their user names and passwords, said Linda Green, a spokeswoman for the University of Michigan's Information Technology Central Services department.

In May, when the credit union that serves the university was targeted with a similar attack, the ITCS staff sent out warnings, advised the credit union of the issue and convinced the local paper to cover the story. In the end, no one fell prey to the attack, nor when a third email popped up earlier this month, Green said.

"We feel that we have dodged the bullet this time," she said.

Last month, the customers at more than 30 credit unions became targets of phishing scams, according to data collected by the Antiphishing Working Group, an industry consortium that tracks the problem.

"Many of those attacks appear to be part of a toolkit or the same group of people, because they use the same techniques and wording, merely changing the target names," said Dan Hubbard, a member of the AWG's steering committee and the senior director for security at Internet threat monitor Websense.

May's burst of activity encompassed the most attacks yet aimed at smaller financial institutions, according to the AWG's data. Hubbard is not sure what is behind the increase, however. The countermeasures of larger banks may have diminished returns for the attackers, or the fraudsters may be able to transfer more money from credit unions before they catch on, he said.

"It is so economical and inexpensive to do this, perhaps they are experimenting to see what works best," Hubbard said.

Netcraft's Mutton believes that the customers of smaller banks and credit unions are more trusting and, thus, easier targets for phishing scams.

"You can send fewer emails and get a better response rate," he said.

University credit unions are particularly attractive targets, Mutton added, because attackers can easily generate a pool of likely customers by finding the email addresses of current students.

The University of Michigan's Green agreed, saying that keeping students aware of the issues is somewhat difficult, because every year a new batch of freshmen enter the colleges and have to be taught to be careful,

"We have 6,000 new students every fall," she said. "You don't ever get done educating them."

Related stories

Netcraft launches anti-phishing toolbar
Underground showdown: defacers take on phishers
Japanese 'Yahoo! phisher' arrested

Sponsored: 10 ways wire data helps conquer IT complexity