Antispam vendors, browser makers and Internet service providers have been on the front lines in the battle to contain phishing attacks, but the cybercriminals behind phishing campaigns are getting savvy at defeating technologies and tricking victims into giving up their credentials and other data.
To get security news and tips delivered to your inbox,
Phishing has evolved since it was first detected about five or six years ago when poorly worded email messages attempted to dupe the least Internet savvy users into clicking a link to a phishing website. The technique was easily detectable in the early days, but in 2009, phishers have taken the method to a whole new level.
Automated toolkits enable even the least technically savvy phisher to buy and maintain hundreds and even thousands of phishing domains designed to look like legitimate websites. While the primary means of phishing still relies on spam messages, phishers are turning to social networks, such as Twitter, Facebook and others to spread malicious links. Social engineering techniques have gotten better, making phishing messages more difficult for end users to distinguish. Even legitimate websites -- if they contain a vulnerability --are at risk of hosting malicious code resulting in a man-in-the-middle attack designed to steal the credentials of visitors.
FBI raids phishing crime ring, nearly 100 arrested: Bank of America Corp. and Wells Fargo & Co. were targeted in an international scheme that had U.S.-based runners funneling pilfered funds to phishers in Egypt.
Phishing attack uses pop-up message on bank sites: Security researchers have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.
Phishing, identity theft keeps law enforcement, researchers occupied: An expert on cybercrime and online scams, Derek Manky, is one of the members of the Fortiguard research team.
"Whether it is phishing or malware, the one thing we cannot do is blame the victims," said Mary Landesman, senior security researcher at Web security services vendor ScanSafe Inc. "The world has changed in terms of security risks and I don't think by and large that people's perceptions have."
Despite all the technologies designed by security vendors to root out phishing attacks and malware; despite multiple raids by the FBI to shut down phishing rings and despite the FTC's action earlier this year to shut down a rogue ISP known for hosting phishing domains, security experts say more needs to be done to educate end users and help registrars and ISPs identify and shut down phishing websites.
"If can imagine the volume of websites registered on daily basis it's difficult for them to get a handle over it," said Dermot Harnett, the principal analyst for antispam engineering at Symantec. "Phishing toolkits have resulted in less complexity and it's relatively cheap if someone wants to start up with hundreds and even thousands of domains."
According to statistics collected by Symantec, 25% of phishing URLs in September were generated using phishing toolkits. The number was even greater in August when a popular phishing toolkit was used by a number of cybercriminals.
Phishers are turning to typo squatting, registering websites one or two letters off of a popular legitimate website, with the hopes that a person types the wrong key, landing on the phishing Web page. Making tracking and shutting down of phishing domains even more difficult is the use of free Web hosting services, which require little to almost no information to register and maintain, Harnett said. According to Symantec, more than 110 Web hosting services were used in September, which accounted for 11% of phishing attacks.
Technology is helping reduce the threat, said Dave Jevans, founder and chairman of the Anti-Phishing Working Group (APWG), Antiphishing measures such as extended validation EV SSL certificates have been implemented as features embedded in browsers to help people determine if a website is legitimate. Two-factor authentication deployed at many financial institutions as part of account login procedures have helped reduce the threat, Jevans said.
Jevans said the actions of the FBI and Egyptian authorities to shut down more than 100 people involved in an international phishing ring could have a deterring affect, but measuring its success will be difficult, he said. Instead, Jevans and others are working with the Internet Corporation for Assigned Names and Numbers (ICANN) to develop a way registrars can remove domains responsible for phishing and drive-by malware attacks.
"We are coming closer to opening up better communication with ISPs and registrars," Jevans said. "It's not something that will be solved overnight or even in the next year or two."
ISPs have recently come on board to design better user education campaigns with the hopes of reaching out to home users with little or no technical expertise, Jevans said. User education can be the easiest and most cost effective way to combat phishing. The simple action of regularly changing your password could help most people avoid showing up on the next list of victims, said ScanSafe's Landesman.
"Even if you have to write your passwords on a sticky note and post it to your computer screen, change your passwords," Landesman said. "You're more likely to get a phishing email or download malware than have someone break in and steal your computer and your sticky note."