August 3, 2005 8:40 AM PDT

Antiphishing group casts line at new threats

Faced with a rise in so-called pharming and crimeware attacks, the Anti-Phishing Working Group will expand its charter to include these emerging threats.

The shift may serve as a harbinger, raising the question of whether phishing will eventually become passe--despite the current rise in phishing incidents.

"Over time, as banks get a better grip on fighting conventional phishing that uses social engineering, phishers will be forced to find other vectors of attack," Peter Cassidy, secretary general for the antiphishing group, said Wednesday.

Within a couple of years, he said, conventional phishing could become obsolete. "It could be even faster. Events have always eclipsed our expectations," Cassidy said.

Conventional phishing campaigns reported to the group rose less than half a percent to 15,050 in June over the previous month, according to the group. But pharming attacks climbed 6 percent to 526 cases in the same period and crimeware cases soared 95 percent to 154, according to the group.

Phishing involves criminals sending out bogus e-mails in the hope that people are fooled into sharing personal information such as bank account passwords and credit card information.

In pharming attacks, people are redirected to a bogus Web site that looks legitimate. Once the victims are redirected to the bogus site, keyloggers are downloaded to steal information from the person or to dupe them into disclosing personal data.

With the rapid rise in crimeware, which is spyware designed to steal identities rather than just monitor online behavior, the group this month launched "Project Crimeware."

The project will investigate malicious software that steals consumer, government and corporate access credentials with the aim of launching attacks, stealing identities or engaging in financial fraud.

The antiphishing group's "belief is that conventional phishing via social engineering schemes will be eclipsed by advanced, automated crimeware based on keyloggers, redirectors and session hijacking technologies," David Jevans, the group's chairman, said in a statement.

5 comments

Join the conversation!
Add your comment
keyloggers are downloaded ... and then what?
"keyloggers are downloaded" ... and then what?

Downloaded files do nothing. They have to be installed and run to do harm. And to achieve that someone has to install and run them. They only work if they have permision to work, and most Windows users do allow any program to have access to any resource.

See <a class="jive-link-external" href="http://nonadmin.editme.com" target="_newWindow">http://nonadmin.editme.com</a>
Posted by hadaso (468 comments )
Reply Link Flag
and then what
Most? Did I read correctly? If MOST computers didn't have access to files, or admin's privledges, THEN WE WOULDN'T HAVE MOST THE SPYWARE AND VIRUSES we have now. Simple. A little bit of users don't do that. But, usually, included with spyware and keyloggers are codes to make it execute by itself.
Posted by (75 comments )
Link Flag
The problem is not key loggin by slaves and trojans
I agree that key loggin has to be activated however it is not that simple. A cyber crook is expert and putting things on your screen that reverse click so you think you are closing it out as you are really turning you PC or laptop into a slave that will do what they want.

So the answer is keep the ID off the Internet by using a box outside a box that does not link onto the internet. If we can do that, then, well, game is over for the cyber crooks.

That is what I think. Ciao now.

Janet
Posted by Iohagh (54 comments )
Link Flag
Antiphishing group casts line at new threats
Antiphishing group casts line at new threats

Mr. AT Alishtari, POA and Founder EDI Secure LLLP, sees that the anti-phishing groups have an uphill battle since all the cyber mafia's need do is find one hole in the **** and all the good guys have to do is protect the entire ****.

By comparison consider trying to keep all the sand on the beach while waves are both depositing and withdrawing sand invisbly below the surf.

The most important thing is to use the new US Commerce Dept National Institute of Science and Technology level 4 standards for multi-factor authentication with an offline device the bar that everyone must meet.

The NY Times showed the offline device cannot be a wand because it was extravagantly exposed by hackers on the roof of the Defcon convention last week as flawed. A solid state non-wave offline device is what is preferred by most G8 nations accepting White House advices to protect global consumers. Advice to the NIST rules is accepted until Septer 13, 2005.
Posted by (66 comments )
Reply Link Flag
Antiphishing group casts line at new threats
Antiphishing group casts line at new threats

Mr. AT Alishtari, POA and Founder EDI Secure LLLP, likes the fact that the Anti-Phishing Working Group plans to have the fishing basically stop in a couple of years. Still, this is like saying we will fix the leak in the Titanic when we dock in NYC. It wishes well but well wishes is not what's needed.

Recently, the U.S. Commerce Departments division of National Institute of Standards and Technology, or NIST, published to support the European Union Senate supported Cybercrime treaty and the Congressional Privacy Act setting standards for authentication. A big loophole is level 4 NIST authentication is multi factor authentication with a device and then it mentions a wand device.

Well, two things. First two factor authentication with an offline device is specifically covered by the USPTO Patent given to EDI Secure LLLP in July 22 2003 for single use credit card number ID that includes various online and offline applications. However, the NIST standard level 4 is rebutted as weak if it continues to emphasize weak technology.

At the Defcon conference last week, the NY Times reported a bunch of hackers proved to everyone there that from on top of the hotel, 650 feet away vertically, they broke into wand technology that does the reverse of giving consumers what they need. The NIST states the consumers have until September 13 to give advice to adjust the official US levels of authentication.

Perhaps this is a good time to publicize that the NIST does not have top levels of security that include breached technology. Yes, two factor authentication on its own is breached however with a solid state offline device it is cseeen as flawless by third party white paper done by Dr. Borko Furht, PhD, Dept Head, North Atlantic University.

So what are you going to do as a paper? Are you going to report the news and get US citizens the level of security they need or are we going to just sit there and let the bureaucrats and the lobbyist fill up our standards with garbage that hurts consumers in the end? People need to blog alot.
Posted by (66 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.