Phishing 2009: The Year of the Bad Guys
From a cybercrime perspective, the “success” story of 2009 can be found in phishing attacks – which also caused biggest losses to the rest of us.
In a recent excellent report, security solution provider Trusteer Inc. details how data collected from “successful” phishing attacks on the banking sector over a three-month period could help cyber criminals pocket a staggering $9.4 million per 1 million bank customers if they took advantage of all the fraudulently obtained information at their disposal.
Trusteer’s report looks at phishing from a slightly different perspective that the one taken by the well-known Anti-Phishing Work Group (APWG), which twice-yearly publishes numbers on detected phishing Websites.
The APWG figures show that 49,084 unique phishing Websites were found in June 2009, the second-highest numbers since their data collection began. This data is based on the number of phishing sites found by the group, whether or not the sites have been accessed by Internet users.
Trusteer’s data complement APWG’s figures, as their findings are based on what they deem to be a successful attack -- i.e., one that reached its intended target and received a response from the recipient.
Trusteer achieved their results through a three-month study, during which the company collected data using its own Rapport plug-in, which customers use as part of a cyber-crime protection package. Data from 3 million computers was monitored on what was entered and when.
Monitoring of 10 legitimate banking Websites revealed that each week, each financial brand was subjected to approximately 16 phishing attacks, which over the course of a year amounted to a total of 832 attacks on an individual institution.
Even without actual figures, it does not take a great deal of imagination to see the scale of what is going on worldwide as a result of cyber-criminal phishing.
Researchers in this field agree that a colossal number of phishing attacks targeting financial institutions are taking place; Trusteer’s analysis is based solely on “successful” attacks, in which a fraudulent Website was actually reached by a banking customer. The data give a snapshot of the lucrative pickings available to the fingertips of these criminal gangs.
Trusteer found that out of every 1 million customers, 12.5 customers wound up on a fraudulent phishing site. That equates to 1.04 percent of banking customers surveyed, 45 percent of whom happily give out their credentials, unaware that they are not on their bank’s legitimate site. Trusteer calculated that this equates as up to the $9.4 million in annual fraud losses per 1 million online banking clients. So if we estimate 200 million using online banking worldwide, the result is a staggering $1.9 billion in fraud per annum.
There’s no sign of a fraud slowdown in sight. ICANN’s recent move to put internationalized domain names (IDNs) on a fast-track approval process has been seen by some security professionals as potentially an aid for phishing. IDNs increase the amount of homographic possibilities, wherein a domain has more than one spelling and similar-looking URLs composed of characters like “l” substituted for the number “1,” which boosts the range of using similar-looking URLs, a key component in phishing and fraudulent Websites.
So looking forward to 2010 without too much of a crystal ball, we can see a few phishing threat vectors to note:
- iPhone and smartphone users. In recent weeks, we’ve seen the emergence of viruses aimed at phishing via cellphone-based banking. As many cellphone banking applications are insecure, it is clear this route will expand greatly for the cybercriminal.
- Web server hacking. With the rapid increase in server compromises via MALfi/RFI and similar exploits, we will see more rogue redirects and clone banking Websites to fool the user into divulging information.
- Data breaches. These have increased greatly over 2009 and are such a jackpot for hackers that there will be a further rise in 2010.
- Good old spam. While most readers of this blog may not succumb to phishing-based spam, with the advent of “snowshoe spamming” techniques, many fall in 2010.
