Digital Transactions Authoritative, insightful and timely information for payments professionals
Afer a let-up last summer, the phishing scourge appears to be getting worse. The Anti-Phishing Working Group reports the number of unique phishing attacks grew 6.7% in November over the count in October, to 16,882. This represents a new record high for the online fraud, in which criminals use bogus e-mails to trick consumers into giving up passwords, PINs, and other information. Meanwhile, the number of Web sites used by fraudsters to launch phishing attacks jumped 6% to 4,630, though this number remains well below the peak of 5,259 reached in August. At the same time, phishers appear to be targeting larger Web retailers and online banks again, after a time in which phishing fraudsters seemed to be setting their sights on smaller institutions, such as credit unions. “Interestingly, we are seeing some larger financial institutions and Internet retailers experiencing a renewed round of intense phishing attacks,” the APWG says in its latest report, which was released last week. The number of brands hijacked by fraudsters in November came to 93, down from 96 in October. One new phishing tactic identified by the report involved Google. In the attack, fraudsters used a spoofed duplicate of the search engine's notably austere home page to gull users into thinking they had already “won” $400. Instructions on the page directed the “winners” to enter their credit card account numbers and shipping addresses. Users who entered this data were then redirected to the real Google site. Worse, the report says the number of reported trojans, or malicious computer code used by fraudsters to assist in phishing schemes, increased in November as well. The population of Web sites hosting keyloggers, for example, ballooned 21% from October, to 1,044. “Malicious code designed for keylogging consumer data, such as user names and passwords, continues to grow at a rapid and alarming pace,” the report says. The APWG says another form of malware, known as a redirector, is also on the rise. This type of code sends unsuspecting users to fake versions of the sites they are requesting, even if they type out the addresses rather than rely on e-mail links. One example cited in the report involved online transaction processor PayPal Inc., in which a phishing e-mail contained a link to something called a “PayPal security tool” file. The file turned out to be a redirector that automatically sent users requesting paypal.com to a fraudulent site. The fake site asks for such information as credit and debit card account numbers, billing addresses, and bank account and routing numbers. Phishing sites remained online for an average of 5.5 days in November, says the APWG, a consortium of software companies, payment-industry organizations, and law-enforcement agencies.
