Online fraudsters are attacking a much wider variety of brands, including grocery stores and Bitcoin exchanges, showing a growing level of sophistication in their efforts to gull unsuspecting customers out of their money, according to the latest quarterly report from the Anti-Phishing Working Group Inc., an 11-year-old organization made up of payments networks, financial institutions, security-solutions vendors, and law-enforcement agencies.
Indeed, 2014 is likely to be an unusually active year for phishing fraudsters, if the first quarter is any indication. The APWG found 125,215 phishing sites during the January through March period, an increase of nearly 11% over the fourth quarter and the second-highest number the organization has ever detected in a quarter. Only the 164,032 sites discovered in 2012’s first quarter was greater.
In like manner, the number of unique phishing reports jumped by nearly 7% over the fourth quarter, to 171,792.
Such robust criminal activity in the quarter following the holiday shopping frenzy, rather than during the quarter containing it, is unusual. “The holiday shopping season is often the highlight of the year” for phishers, Greg Aaron, president of Illumintel Inc. and a senior research fellow at the APWG, tells Digital Transactions News. Illumintel is a Willow Grove, Pa.-based security-services firm for Internet companies.
Still, Aaron is reluctant to make any specific predictions for phishing this year, pointing out that final numbers will depend on too many unpredictable variables. “It can depend on whether certain heavy-duty phishers jump in and do something special, say, a lot of break-ins,” he says.
One clear, and disturbing, trend is the extent to which these cyberthieves are targeting a wider array of brands. While in the past they tended to stick to financial institutions, they are now crafting bogus email pitches for entities in a number of industries, from retailers to Internet startups. “We’ve seen sites like Airbnb being phished, and grocery stores,” Aaron says. Airbnb is an online utility that links property owners with interested renters.
Some 557 brands were used in phishing campaigns in the first quarter, up from 525 in the preceding period. “As long as you’re taking a user name and a password and have a user base, people are going to come after you,” he says.
Even Bitcoin exchanges are starting to find themselves targets of phishing campaigns, according to Aaron. “Criminals like the prospect of having an anonymous currency,” he says.
What makes this trend disturbing is the increasing sophistication it betokens, Aaron adds. Beginning phishers often use kits with ready-made email templates for commonly targeted brands. To go after untested brands, phishers must “design new page templates, come up with a convincing-looking email,” he says. “It takes some effort.”
In phishing campaigns, criminals use spoofed emails to gull consumers into visiting bogus Web sites, where the phishers can download malware and collect sensitive information, such as user names, passwords, and PINs. The emails are designed to appear as if they come from trusted brands, such as banks.
Phishers also have a powerful ally: human gullibility. Aaron points out that there are people who will click through to a new Web site even in the face of a browser warning that the site is suspicious. “Phishing at its heart is taking advantage of human fallibility,” says Aaron. “We’re never going to get rid of that.”