More brands targeted as phishing attacks soar

Phishing attacks reached a new high at the end of 2005 after growing steadily all year, according to a study published Wednesday.

The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report, published by the Anti-Phishing Working Group, an industry consortium that provides information on phishing trends.

Phishing e-mails pretend to come from legitimate companies, such as banks and e-commerce sites, and are used by criminals to try and trick Web users into revealing personal information and account details.

The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November.

Despite these statistics, businesses should not worry about the effect on general consumer confidence, according to Internet security company Websense.

"One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," said Mark Murtagh, Websense technical director for Europe, the Middle East and Africa. "Although phishing is increasingly in the news, online banking is increasing in popularity."

Top brands continue to be hijacked, with phishers using established names to try to lure people to their sites, Websense said. Most phishing sites spoof global e-commerce and banking institutions.

"eBay is often spoofed, for obvious reasons," Murtagh said. "Google is increasingly being targeted because of its expansion into different business application models. The big banking names are used too--HSBC, Citigroup, Lloyds--all the major brands".

Phishers' use of global brands is understandable, said Murtagh. "There's no point in using local names if the attack is global."

Attacks are becoming increasingly sophisticated, with a quarter of all phishing Web sites hosting keylogging malicious software. Users can become infected just by visiting the sites, Murtagh warned.

"Before, people had to click on a site to download malicious code. If they went to a Web site and thought it looked 'phishy,' they could leave and probably not be harmed. Now with most phishing sites they just have to visit one to become infected.

"Twenty-five percent of those sites now host keylogging code, and if you visit one you will probably open yourself to identity theft or fraud."

Tom Espiner of ZDNet UK reported from London.

[Mister C]

And the Companies?

Most of the target companies do very little to help the problem. If you try to report a scam their web pages are so cluttered with junk that you can't even find a email address to report the problem to.<br /><br />Surprisingly, eBay (spoof@ebay.com) and PayPal (spoof@paypal.com) make it real easy. Just forward the suspicious mail to them, it only takes a second and the quicker they find out about the scam the quicker they can take steps to stop it. <br /><br />Amazon on the other hand requires going through several pages and filling out a form, and they never do provide an email. Many banks are just as bad, they want you account number etc. To them I say you get what you deserve. Make it really inconvenient to report a problem and the cry about it. <br /><br />If people would take a proactive approach to these things we could stop these guys in their tracks. But I guess it is like dogs. Some will go out and look for food when they get hungry and others will just lay at their dish and whine.

[Eskiegirl302]

I hate to burst your bubble but...

I have a phish mail sitting in my in box as we speak. I know for certain it is one. I will let you see it. Here it is.<br /><br /> Security Center Advisory!<br /><br />We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address and we have reasons to belive that your account was hijacked by a third party without your authorization. If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you.<br /><br />If you are the rightful holder of the account you must click the link below and then complete all steps from the following page as we try to verify your identity.<br /><br />Click here to verify your account<br /><br /><br /><br /><br />If you choose to ignore our request, you leave us no choise but to temporaly suspend your account.<br /><br />Thank you for using PayPal!<br />PayPal Email ID PP697<br /> <br />Now, in the first place, I do not have a pay pal account. In order to report this to pay pal, I would first need an account. Well, I don't want an account because I know that pay pal and ebay are third party sites. They are very vunerable to attacks so I steer clear of these kinds of sites.<br /><br />Ok so now what? I cannot report to ftc because I have not been victimized. I went to one site that looks like a pay pal site. I reported this to them. Here was my answer:<br /><br />webform@paypal.com &lt;webform@paypal.com&gt;<br /><br />TO Me:<br /><br />Thank you for writing to PayPal regarding the email you received.<br /><br />Because this is not an eBay or PayPal member, website, or email, we are<br />unable to determine if this email is legitimate. While it may be<br />considered spam or possibly even fraudulent, it is not something we can<br />determine on behalf of other companies. This email should be reported to<br />the company that appeared to send it for their assistance and<br />investigation. Normally, to do this, you would substitute the word<br />"abuse" in place of the name in front of the @ symbol. For example, if<br />the email was sent from user@goodmail.com, you would send your report to<br />abuse@goodmail.com.<br /><br />In addition, you may also want to see if online customer support is<br />available for this company. As for eBay, please forward any suspicious<br />emails to spoof@ebay.com for our review and investigation. I also invite<br />you to take this time to familiarize yourself with eBays Security Center<br />for helpful information on this topic. A link to our Security Center can<br />be found below:<br /><br /><a class="jive-link-external" href="http://pages.ebay.com/securitycenter/index.html" target="_newWindow">http://pages.ebay.com/securitycenter/index.html</a><br /><br />Thank you again for reporting this email. I hope this information will<br />be helpful.<br /><br />Sincerely,<br />PayPal Account Review Department<br /><br />By the way, Check out this site. I thought you reported stuff here and this mail was what I got.<br /><br />Now can you please tell me why I should open an account, spend all my time running around on the site, to review their security rules? When all I want to do is report this fraud? I have things to do other than visit pay pal and ebay and checking out their way of doing business and what they offer. BTW...Here is something you might want to see too&gt;&gt;&gt;&gt; <a class="jive-link-external" href="http://www.paypalsucks.com/" target="_newWindow">http://www.paypalsucks.com/</a> This might teach u something about dealing with third party people who try to control your money.<br /><br />Ok so now what? Still I have this phish and am wondering just what to do with it.<br /><br />Any Ideas? You just really have no place to report. So should I just delete and forget it? I have looked into a number of sites and to no avail. You cannot copy and paste headers from gmail. It does work. If I forward it, it may lose pertinent information such as the original sender. Does anyone know what to do with this?

[Macsaresafer]

Legitimizing spam is the problem.

Everybody wants your email address so they can "market" to you <br />over the internet. Companies that you do business with will <br />claim they're not spamming you because they already have a <br />buisness relationship, and now they're shocked that con men are <br />taking advantage. Email is in serious danger of becoming <br />unusable because first you have to sort through the spam, then <br />you have to determine what is a legitimate unsolicited email. <br /><br />Until businesses stop sending junk email, phishing isn't going <br />away. If I only got emails from my bank when they had a <br />question about a specific transaction, there wouldn't be any way <br />a phisher could fool me into thinking they were my bank. <br />Instead, I get emails that make it easy for phishers like this:<br /><br />We are happy to have the opportunity to serve former Fleet <br />customers like you. We are committed to providing you with <br />important financial information and to protecting your privacy <br />and security.<br /><br /><br /><br /><br /><br />As part of our service to you, we may occasionally send you <br />informative e-mail to:<br /> Keep you up to date on special offers, products, features, <br />and services<br /> Let you know how Bank of America and its associates can <br />help you financially ? wherever you are in life<br /> Provide you with the tools and resources you need to make <br />sound financial decisions<br /> Assist you with your small business or your business <br />interest<br /><br /><br /><br /><br /><br />You can rest assured that we take steps to protect your <br />information, including your e-mail address, and will not sell or <br />share it with marketers outside Bank of America who may want <br />to offer their own products and services. Read our Privacy Policy <br />to find out more.<br /><br /><br /><br /><br />Bank of America is committed to your security and protection. <br />Please be aware that we will not e-mail you to request or verify <br />security information about passcodes, PINs, or other sensitive <br />details. To find out more, please see Information Security. <br /><br /><br /><br /><br /><br /><br /><br />You can help us provide you with relevant information by taking <br />a moment to tell us your e-mail preferences. And remember, if <br />you'd like to stop receiving promotional e-mail from us, you can <br />unsubscribe at any time. <br /><br /><br /><br />THIS IS A PROMOTIONAL E-MAIL FROM Bank of America. AND <br />YOU MAY OPT-OUT FROM OUR PROMOTIONAL E-MAILS AT ANY <br />TIME. IF YOU'D LIKE TO BE OPTED-OUT WITHIN 10 BUSINESS <br />DAYS, PLEASE UPDATE YOUR E-MAIL PREFERENCES.<br /><br />The security and confidentiality of your personal information is <br />important to us. BECAUSE E-MAIL IS NOT A SECURE FORM OF <br />COMMUNICATION, THIS E-MAIL BOX IS NOT EQUIPPED TO <br />HANDLE REPLIES. If you are a Bank of America customer and <br />have sensitive account-related questions, please call the phone <br />number provided on your account statement or the appropriate <br />phone number indicated in the following "Contact Us" link so we <br />can properly verify your identity. For all other questions or <br />comments, please use the Web forms available via Contact Us. <br /><br />We respect your privacy, and you can rest assured that we <br />protect your information, including your e-mail address, and will <br />never sell or share it with marketers outside Bank of America. To <br />find out more, please read our Privacy Policy. <br /><br />Bank of America E-mail, 6th Floor, 101 North Tryon Street, <br />Charlotte, NC 28255-0001<br /><br />Bank of America, N.A. Member FDIC. Equal Housing Lender<br />© 2005 Bank of America Corporation. All rights reserved.

[lazarus_vendetta]

Phising Scams

As long as thier is money there will be people trying to take it. The best idea would be to have a better way to report these scams to catch these punks. For one a fake amazon.com e mail came to my box, i knew it was scam cause it was not a very good one so i tried to report and learned that amazon.com really didnt care cause i never recieved another e mail and it was very diffucult to find a place to report this news. Well i still like shopping with amazon but i wish they would care more about these scams. i got the malicous email during christmas and i feel real bad for anybody that was duped by this scam probably made for a very unmerry christmas

[Mister C]

This may help

You are quite correct, Amazon customer service is run by marketing folks. Their approach is simply to prevent anything negative getting through so higher-ups never get to see it (job security).<br /><br />After some searching and several complaints to Amazon they provided the following email for scams:<br /><br />stop-spoofing@amazon.com<br /><br />There is also a really good 3rd party web site located here:<br /><br /><a class="jive-link-external" href="http://clicheideas.com/amazon.htm" target="_newWindow">http://clicheideas.com/amazon.htm</a><br /><br />Good Luck!

[jamalystic]

I think teaching individuals to identify these attacks will be the key to curbing this new wave of phishing. Whilst we may employed additional security measures by way of technology, it will be most appropiate if folks are given the necessary information on how to identify these attacks. I believe these attacks have a common denominator which can be easily noticeable: Identifying A Targeted Attack ( <a class="jive-link-external" href="http://www.internetevolution.com/author.asp?section_id=670&#38;doc_id=156701&#38;F_src=flftwo" target="_newWindow">http://www.internetevolution.com/author.asp?section_id=670&#38;doc_id=156701&#38;F_src=flftwo</a>)