Phishing is getting up close and personal. Once upon a time, phishers were an opportunistic bunch of fraudsters who randomly bombarded innumerable in-boxes with emails purportedly sent from a legitimate organisation.
Counting on a tiny proportion of recipients responding to their spam, they lured a victim through a link in the email to a spoofed website of a legitimate retail or corporate site.
By using misspelled URLs, and faking the appearance of the genuine site with the same design and logos, victims could be tricked into 'verifying' personal information such as credit card details or log-in information which could be used by criminals for financial gain.
?In the old days, phishers made rudimentary mistakes copying the legitimate sites, but now they are much more professional in terms of language, spelling and embedding the right graphics. They are also much better at targeting their intended victims,? said Graham Cluley, senior technology consultant for security company Sophos.
Old-school phishers continue to operate, but as internet users wise up, criminals are changing tactics. Rather than casting their net far and wide, phishers are honing in on their victims and using social networking sites like MySpace and Friendster to con confidential information out of surfers.
Security company McAfee's recent Virtual Criminality report, reveals that phishing emails increased by 25 per cent over the course of last year. However, it says that while fraudsters are still targeting high-profile banks and ecommerce sites, they are changing the content of their phishing mails away from 'update your details now' scams to more tailor-made messages.
They are also targeting sites which contain a lot of personal information such as dating and recruitment sites.
Last year, 60,000 MySpace users were targeted in a phishing scam which directed them to a fake MySpace login page in order to steal logins and passwords. This is bad news, as McAfee reveal that 90 per cent of people still don't recognise a well constructed phish.
?There is a phishing evolution going on. Phishers are using smarter methods which tie in with the development of Web 2.0. They are taking time to build up relationships with their targets on sites like MySpace to harvest information given within an environment of trust,? Greg Day, security analyst at McAfee, told Web User.
?What scares me is how much information people reveal on sites such as MySpace. The boundaries between people in a physical relationship are much more difficult to cross and at a certain level people pull back, but fraudsters are able to build up profiles of individuals through social phishing because people are more trusting of digital personas,? said Day.
Phished information can be used for direct fraud, such as applying for loans using a victim's persona or to more effectively target phishing scams. Ecommerce phishes are also becoming more directed.
Many phishes targeting online auction sites now appear if they are from other users - perhaps enquiring about an item for sale rather than generalised 'update your account information' phishes.
McAfee reveals that these bog-standard phishes accounted for 90 per cent of eBay phishes in February 2006, and 10 per cent were other types. Now, they account for less than 50 per cent.
Sophos's Cluley, told Web User that 'spear-phishing', where victims are singled out is increasing. ?We've seen people with large incomes attacked in phishes. For example, one claiming to come from a professional hitman targeted dentists.?
?Corporate spear phishing is also being used by criminals who want access to a company's computer system. Emails appear to be sent internally, from the IT department or a colleague, so victims more readily part with information including user names and passwords,? added Cluley.
Personalised phishing attacks make financial sense for fraudsters. Research by the Association for Payment Clearing Services (APACS), reveals that while card fraud has shrunk since the introduction of chip and PIN, the cost of online bank fraud from phishing or scamming attacks between 2004 and 2005, doubled to $43.3m from $22.8m.
?The benefit for the phishers is that the return rate is much better from targeted attacks as the more emails they send, the more likely they are to be detected through spam traps which they want to avoid,? said Mikko Hypponen, chief research officer at security company F-Secure.
However, the security companies are fighting back against phishers. 'Phishers are loosely connected individuals, who work with virus writers and hackers and may only meet online. There are very few arrests as it is difficult to investigate, capture or convict but we work with law enforcement agencies and the Anti-Phishing Working Group, (
www.antiphishing.org) to eradicate phishing,? said Hypponen.
Meanwhile, online banks have introduced tighter authentication to crack down on phishing. ?Most banks take phishing attacks on the chin and pay out of their own pocket if their customers are victims, but there will come a time when banks will say to customers - you didn't take enough care ? and they will take the hit,? warned Sophos's Cluley.
Topic: Phishing attacks get personal (Read 503 times)