News

Organization Finds Huge Jump in Phishing Scams

• By Scott Bekker
• 03/01/2004

The working group's January report, released in mid-February, found 176 unique new phishing attacks in January, a 52 percent increase over the 116 phishing attacks reported in December. The working group was founded by Tumbleweed Communications and first met in November. It includes banks, financial services institutions and e-commerce sites.

Phishing refers to the effort to get users to give up their private financial information such as passwords, PINs and other identifying or security information through a combination of technical means and social engineering. Most efforts involve an e-mail with a spoofed sender address that asks users to link to and fill out information on a Web page that is a spoof of, or similar to, a legitimate institution the user would recognize.

The working group's January report found that the highest number of unique spoofing attacks attempt to fool users into thinking they are being contacted by eBay. The online auction site is the target for 51 new attacks in January, compared with 33 in December and six in November. Other attractive false fronts and the number of unique new attacks that target them in January were Citibank with 35, AOL with 34, PayPal with 10 and Earthlink with nine.

Some of the most popular avenues of Phishing attacks were cut off by a Microsoft Internet Explorer patch released on Feb. 2. (See story). It will be interesting to see if the number of new attacks in February or March taper off as more and more browsers become immune to the simplest attacks.

Some 32 percent of phish attacks in January exploited a URL syntax for user authentication in Internet Explorer that allowed the use of an @ symbol to appear as one Web site while actually visiting another. A related flaw involving a %01 or a %00 before the @ symbol accounted for 7.8 percent of new phish attacks in January.

A Danish security firm, Secunia, highlighted the IE problem on Dec. 9 and the first phishing attacks based on it began appearing Dec. 18, according to the working group. Microsoft posted a workaround in December and a full patch on Feb. 2.

Another popular method of phish attacks is the use of a cousin URL that resembles the authentic URL of a trusted institution but points to a scammer's site. Examples provided by the working group included aol-wallet.com, www.ebay-secure.com and www.yahoo-billing.com. According to the working group, so-called cousin URL attacks accounted for 9.3 percent of unique phishing attacks in January.