Online fraud: an update (page 1 of 2)

From simple attempts at social engineering to "phishing" to "pharming" to "spear phishing," fraudsters have proven especially resourceful at modifying their behavior. The result has been a shift in the threat landscape. As the latest Symantec Internet Security Threat Report observed, attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets.

"Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud." ("Symantec Internet Security Threat Report Vol. VIII," September 2005)

This article looks at the most significant online threats and the steps organizations can take to stop them.

The evolution of phishing

One of the more worrisome findings of the latest Threat Report concerns the continued increase in phishing attacks. Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. Consider these statistics:

• In the first six months of 2005, Symantec blocked 1.04 billion phishing attacks, compared to 546 million in the last six months of 2004, a 90% increase in messages blocked.

• Between January 1 and June 30, 2005, the volume of phishing messages grew from an average of 2.99 million messages a day to 5.70 million.

• One out of every 125 email messages scanned by the Symantec Brightmail AntiSpam solution was a phishing attempt, an increase of 100% from the last half of 2004.

These figures are borne out by the latest report from the Anti-Phishing Working Group. In August, the APWG detected 5,259 unique phishing Web sites, the highest number ever. The APWG surmised this may reflect an increasing tendency of phishers to target a diverse group of smaller brands, as well as "an increased use of multiple sites to host a single attack, in order to increase their resiliency to takedown efforts."

While the financial services sector continues to be the most targeted industry sector (accounting for nearly 85% of all attacks in August), the APWG said it is now seeing a number of new targets, including insurance companies, credit unions, payment services, and even an ATM network (such attacks are commonly referred to as "puddle phishing"). The APWG said it is also finding an increase in the number of reported attacks against European financial institutions and ISPs. More attacks against customers of Canadian institutions are being reported as well.

A dramatic rise in malicious code

As disturbing as the rise in phishing attacks has been what the Threat Report calls the "massive increase" in malicious code. Over the first half of 2005, Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the 7,360 documented in the second half of 2004. (It's also an increase of 142% over the 4,496 documented in the first half of 2004.) The increase is primarily due to the rise of Win32 variants that implement bot features -- such as remote access through IRC channels and denial of service capabilities -- that attackers now use for financial gain. For instance, use of the Spybot, Gaobot, and Randex bots has risen dramatically because their source code is available to the public. And as the Threat Report puts it: "The number of new variants is all the more remarkable considering that the number of existing families has not changed appreciably over the past four reporting periods.