How Phishing Attacks Are Evolving

Poor Internet Hygiene Enables Criminal Activity

By Tracy Kitten, March 7, 2013.

Credit Eligible

• 
• 
• 
• 

Phishing attacks are up, and the methods are changing. Paul Ferguson of the Anti-Phishing Working Group explains how phishers are fine-tuning their schemes and exploiting cross-platform technologies.

From PCs and Macs to mobile devices, cybercriminals no longer have to be selective about the operating systems they target, says Ferguson, vice president of threat intelligence for online security company IID, a member company of the Anti-Phishing Working Group.

"What we have seen lately are attacks on cross-platform software," he says. "They only care about plug-ins or the browser. They don't care about the operating systems."

Increases in cross-platform technologies have made phishing attacks more fruitful, Ferguson explains, because they've made it easier for attackers to compromise desktops, laptops, mobile devices, websites and servers, all from a single campaign. "The cross-platform technologies are suffering from what I call 'the tragedy of the masses,' and criminals are taking advantage."

During the first half of 2012, phishing attacks throughout the world were up 12 percent from the first half of 2011, according to the APWG's Global Phishing Survey. Ferguson says he expects a similar increase to be revealed once incident numbers are crunched for the second half of last year.

According to separate phishing figures collected by the APWG for the third quarter of 2012, the financial [34.4 percent] and payment-services [32.1 percent] industries were the most-often targeted by phishing campaigns, Ferguson says. He also notes that independent research conducted by IID reveals that the fourth quarter of 2012 saw a significant increase in the number of phishing scams posing to as online gaming sites -- using a unique domain name combined with a unique phishing target.

In these scams, a malicious or fake site posing as a legitimate gaming site was used to con consumers into manually entering their online banking credentials directly to the site.

None of the research, however, included estimated financial losses linked to these emerging scams.

The problem is poor Internet hygiene, Ferguson says. "People who are using these platforms are not using the proper care to keep the software current," he says. "When vulnerabilities are found, the criminals can use them to inject code, and then use the sites to perpetrate other crimes," such as launch phishing campaigns.

But it's not just websites that are being targeted. Personal computers also are being compromised and being used as launching pads for spam and phishing campaigns, Ferguson says. It's not a new phenomenon, but one that continues to grow, highlighting how the online industry is failing to address inherent Internet security and user vulnerabilities, he says.

During this interview, Ferguson discusses:

• The challenges organizations and security firms face when it comes to mitigating spear-phishing risks;
• How initiatives such as DMARC, or Domain-based Message Authentication, Reporting & Conformance, can reduce phishing;
• Why the growth of social networking has fueled phishing's success.

At IID, Ferguson monitors online traffic patterns and advises client companies about phishing trends and other threats. As part of the APWG, he works to spread the message about the need for stronger online security to global organizations.

Follow Tracy Kitten on Twitter: @FraudBlogger