n
Phishing activity began to abate in the latter half of 2012, but Web-site operators and consumers can’t let their guard down against this insidious online crime, according to the latest report from the Anti-Phishing Working Group.
n
The report, which covers the third quarter of last year, documents a steady decline in both the number of unique sites hosting phishing attacks and the volume of reported attacks. The number of phishing sites detected by the APWG fell in step-like fashion from 63,253 in April to 46,895 in September. But the reduced level in September actually indicated “a return to historical phishing levels after a period of high activity,” the report warns, noting the September 2011 number was 48,410. “Phishing attacks targeting consumers remained at high levels during the quarter. There are hundreds of phishing websites established online every day, and each campaign can involve hundreds of thousands or millions of e?mails sent to consumers.”
n
Similarly, the volume of reported phishing campaigns dropped during the quarter from 30,955 in July to 21,684 in September. The latter figure is roughly half the all-time high of 40,621 reports in August 2009, according to the APWG report.
n
But the lower activity doesn’t mean online criminals have suddenly gone straight, experts warn. “Some professional phishers have moved from perpetrating mass phishing campaigns to exploit?style malware attacks,” Rod Rasmussen, president and chief technology officer at online-security vendor Internet Identity, says in the APWG report. “These don’t show up as traditional phishing attacks. If anything, there are probably more ‘lures’ of all types being generated, but with the destination being an exploit site with a drive?by download that infects users directly with malware, rather than a phishing site that attempts to steal credentials via social engineering.”
n
In a conventional phishing attack, criminals send out mass e-mails hoping to gull unsuspecting consumers into revealing sensitive information such as passwords or PINs that can then be used online to loot bank accounts or fraudulently order merchandise. The e-mails are usually dressed up and written as if they came from a trusted source, such as a bank or government agency.
n
The low cost of mounting such campaigns virtually guarantees the phishing menace isn’t going away any time soon, experts say, despite the documented declines. Ihab Shraim, chief information security officer and vice president for antifraud engineering and operations at MarkMonitor, a vendor of online brand protection, is quoted in the APWG report as noting, “It is unlikely that traditional phishing will stop since the cost of producing a phishing attack is almost insignificant. Also, the decline is not universal across all brands.”
n
Payment services were the target for nearly one-third (32.1%) of phishing attacks in the third quarter, trailing only financial services at 34.4%. Both percentages were virtually unchanged from the second quarter, according to the report. Retailers accounted for 7.8% of attacks, while campaigns against auction sites nearly doubled, from 2.3% to 4.5%. Social networks accounted for nearly 3% of attacks.
n
Ten years old this year, the APWG is a non-profit association embracing financial institutions, retailers, vendors, and law-enforcement agencies. It claims more than 2,000 participating organizations globally.