Digital Transactions Authoritative, insightful and timely information for payments professionals
August brought some relief in the generally rising onslaught of phishing, with the number of newly detected, unique Web sites hosting attacks dropping dramatically to 10,091 from a record 14,191 in July, according to the latest report from the Anti-Phishing Working Group, which monitors the online fraud. Similarly, the number of financial-services, retail, and other brands used by phishers in their bogus e-mails and sites fell slightly, to 148 from July's 154, which also represented a record. There was also better news on the malware front. Trojans used by phishers dropped in August to 172 unique applications, down from 182 in July and the lowest number found since November 2005. These bits of code are especially pernicious, since they are able to track not only users' keystrokes but also types of organizations accessed, including banks and retailers, to pick up key information needed to gain access to online banking programs, e-commerce applications, and mail sites, according to the APWG, which reports on phishing trends each month. Despite this seeming let-up, however, fraudsters kicked their attacks into higher gear in August. The number of unique e-mail campaigns reached 26,150, the second-highest recorded by the APWG, which has been tracking phishing since November 2003. That's up 10% from July. And despite the drop in malware applications, the number of sites hosting phishing-related keyloggers climbed fully 24%, to 2,303. That's still far short of June's record 2,945, however. The average uptime for a phishing site in August was 4.5 days, with the longest-lived site reaching 31 days. Phishing and related fraud worries e-commerce sites and processors not only because of the financial losses stemming from the theft of consumer passwords and other key data, but also because the trend undermines consumer confidence in the online channel. It also concerns physical merchants and banks because PINs and account numbers stolen via phishing campaigns can be used with fake cards at point-of-sale terminals and at ATMs. In phishing campaigns, fraudsters use the familiar logos and slogans of trusted banks and other entities in e-mails that induce recipients to visit sites where they are admonished to enter sensitive information, allegedly to “secure” a “compromised” account, win a prize, or satisfy some other bogus need. The APWG is a consortium of software vendors, transaction processors, banks, law-enforcement agencies, and card companies.
