April 13, 2005 2:30 PM PDT

Bigger phishes ready to spawn

There's good news about phishing: The growth of new attacks has slowed. But that's only because attackers are building more sophisticated traps and using advanced technology to perpetrate online fraud, researchers say.

Last week, the Anti-Phishing Working Group, an online fraud watchdog, reported that the number of phishing e-mails it tracked between January and February grew by only 2 percent.

That figure seems to mark a significant lessening of the threat, given that the average growth rate has been 26 percent per month since July 2004. But during the January-February period, phishing attacks also became dramatically more complex, experts said.

News.context

What's new:
The rate of growth in online fraud attacks has slowed, but the scams are getting smarter.

Bottom line:
Attackers are using more sophisticated social-engineering techniques and advanced technology to perpetrate phishing fraud.

More stories on this topic

Whatever form they take, phishing fraud schemes--including offshoots such as pharming, cross-site scripting and DNS poisoning--are getting smarter.

"Phishers are thieves, and thieves in the online world, as in the real world, are working very hard to separate personal financial information and other data from their victims," Microsoft attorney Aaron Kornblum said.

The software maker recently filed 117 lawsuits against alleged operators of phishing Web sites--a major step forward in thwarting online criminals, according to Kornblum.

However, he acknowledged that there may be as much to fear in the future of phishing as there is to learn from its past.

"People will continue to think up news ways to apply phishing techniques and deceive consumers," he said. "The sophistication is growing, and it's not that surprising at all."

New crooks, more-effective tricks
The first wave of phishing attacks played on the ignorance of unsuspecting consumers, spamming their in-boxes with e-mails that looked like they linked to Web sites belonging to banks, investment companies and e-commerce businesses such as eBay. In reality, they were fake pages designed to lure people into divulging account login data, or other sensitive personal information that could enable the crooks to commit identity fraud.

Recent attacks have gotten more sophisticated, with advances in phishing schemes that use e-mail and the creation of fraudulent Web pages that appear almost identical to their legitimate counterparts.

And new threats have arisen: Attacks based on instant messaging; ploys that use JavaScript technology to hide threats on legitimate Web pages; and new social-engineering strategies.

One of the most telling examples of improved social-engineering techniques is a recent attack that didn't seek to nab victims' names, addresses or Social Security numbers.

Instead, the scheme targeted customers of Salesforce.com, with the aim of stealing information stored on the company's databases.

The campaign began with an e-mail sent to Salesforce customers that promised new application features under a free trial if the

CONTINUED:
Page 1 | 2 | 3

3 comments

Join the conversation!
Add your comment
Bigger Phishes ready to spawn
This well written article was especially timely for me to have read. I sent it to my bank and all I thought needed to be alerted to the requirement of ever vigilent preparedness and acuity of this danger
to all in every aspect of cyberspace. I only hope there can be appropriate penalties paid by those who would defraud, rob, and swindle using the internet.
Thank you for helping keep us alert and informed.
Posted by hoboso (1 comment )
Reply Link Flag
DITTO
'nuf said
Posted by qazwiz (208 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.