Cybercriminals are cranking out fake Web sites branded as eBay, banks, and other financial companies to the tune of tens of thousands every week, according to new research.
During a three-month study of its global malware database, Panda Security found on average 57,000 new Web sites created each week with the aim of exploiting a brand name in order to steal information that can be used to drain peoples' bank accounts.
About 80 percent of those were phishing sites designed to trick people into entering their login credentials or other information on what they believed to be a legitimate bank or other Web site. The remainder were URLs associated with command-and-control servers used in Western Union-related e-mail phishing attacks that trick people into opening an attachment that downloads a Windows-based data-stealing Trojan, said Sean-Paul Correll, threat researcher at PandaLabs.
The study found that 375 high-profile brand names were being used for the fraud, with eBay (23 percent) and Western Union (21 percent) together comprising 44 percent of all the malicious Web sites discovered.Rounding out the top 10 list of exploited brands were: Visa, United Services Automobile Association, HSBC, Amazon, Bank of America, PayPal, Internal Revenue Service, and Bendigo Bank (Australia).
For the phishers, banks were obviously the most popular choice to mimic, at 65 percent of the total, followed by online stores and auction sites, investment funds and stockbrokers, government organizations and payment platforms.
How the attacks work
Typically, phishing attacks arrive in an e-mail message that looks like it comes from a popular bank or other institution. It uses some ruse, such as the recipient's account is about to be suspended, to entice the recipient to click a link that is included. The link directs to a fake site where the user is prompted to provide information like login credentials that is then used later on the underground criminal market to steal money from the account.
It might sound like a lot of work creating all the new fake Web sites, but actually it can be done fairly quickly by copying the source code of the Web site they want to fake and making minor changes, Correll said.
And there are toolkits to help do this. Symantec's spam and phishing report for September (PDF) says phishing messages were up in July primarily due to a 92 percent increase in phishing sites created by automated toolkits.
In the Western Union example, which is not a phishing attack but rather a standard malware infection that exploits the brand, recipients get an e-mail that looks like it comes from Western Union. It informs them that there is an incoming wire transfer and prompts them to download the attachment. Opening the attachment installs the Trojan on the computer.
"The Western Union scam has been going on for years," Correll said. "It's one of the most common things we see on the threat landscape today."
And there is a phishing attack targeting Bank of America customers that downloads malware on the victim's computer that adds additional fields to the bank login page asking for debit or credit card number and PIN and sends that information back to the criminals, he said.
Unlike the Trojan attack, which targets Windows users, most phishing attacks designed to trick a user into revealing information affect all computer users regardless of what operating system they are using.
PandaLabs demonstrates exactly how the attacks work in a video here.
Identifying an attack
While many people are duped by the fake e-mail messages and attachments, there are typically some obvious clues that the message is not legitimate. Usually there are egregious misspellings, poor grammar, and bad punctuation. The Web addresses typically look fishy even on first glance--they don't have "https" that banks and other firms use to indicate that the connection to the Web server is secure and the address is convoluted. And there is no customer name in the body of the message in many phishing attacks, although depending on the sophistication of the operation they can be very customized.
To avoid being victimized by a social-engineering attack that uses a legitimate brand to trick you, avoid clicking links or opening attachments in e-mail. Go to the company's Web site by typing in the real URL in a browser to sign in or contact the company directly via the Web site e-mail address or phone to verify information. And don't give out personal and sensitive information requested via e-mail. And keep antivirus and other security software up to date. (More tips and information are in "FAQ: Recognizing phishing e-mails.")
An eBay representative had some more specific tips about avoiding fake Web sites:
If you think you've been led to a fraudulent site to make a purchase, go directly to www.eBay.com and navigate to the listing via the home page search function. If you cannot find the listing by using the seller ID or the item number, the listing is a fake.
To determine if the Web address in your browser is a real eBay address, look for ".ebay.com" immediately before the first "/". There must be a "." before eBay.com for the address to be legitimate. (More tips from eBay are here.)
But the most important thing is to not click Web links in unsolicited or suspicious e-mails.
"It's hard to get people to not click on the links because people want convenience," Correll said. "We constantly run into that problem, of (balancing) security versus convenience."