Phishing attacks hook more and more victims

Phishing attacks have increased in quantity and quality over the past two months, according to research published by the Anti-Phishing Working Group on Monday.

Phishing is an Internet scam in which unsuspecting users receive official-looking emails that attempt to fool them into disclosing online passwords, user names and other personal information. Victims are usually persuaded to click on a link in an email that directs them to a doctored version of an organisation's Web site. The APWG was formed in November 2003 to provide a forum for financial institutions and other organisations to share information about phishing attacks.

The APWG's Phishing Attack Trends Report compares the level of phishing activity recorded by the organisation's members on a monthly basis. According to the latest report, February saw 282 new phishing attacks, an increase of 60 percent compared to January and a 163 percent increase over December 2003. There were an average of 10 new attacks reported every day, but the third week of February was the busiest, with an average of 12.5 attacks reported each day.

The financial services sector continues top be the most frequently targeted industry sector, and eBay remains the phisher's favourite individual target.

Dave Jevans, chairman of the APWG and a senior executive at Internet messaging firm Tumbleweed, said phishing attacks are getting more common and more complex: "We are seeing more use of Javascript, pop-ups and cross-site scripting techniques to fool even sophisticated users. At stake is our very trust that the Internet can be relied upon for safe and secure commerce and communications," he said in a statement.

The report said that between 1 percent and 5 percent of recipients responded to recent attacks, which look increasingly official and so are hard to detect.

A classic exploitation of a cross-site vulnerability was demonstrated last week when a security researcher from Lodoga discovered a flaw in contacts management company Plaxo's Web site. Had the error been discovered by phishers, it could have resulted in Plaxo members exposing their personal details.

Jeremy Wood, a security test engineer at Web application security company Lodoga, told ZDNet UK that within an hour of discovering the weakness, he had built an attack script that could exploit the vulnerability. Wood's script added an additional layer over the Plaxo Web site's username and password box; if a user typed in their access details, that information would be transferred to the attacker's Web site.

Rikk Carey, vice president of engineering at Plaxo, told ZDNet UK that the Web site was fixed a few hours after the problem was highlighted and he was "fairly certain" that the vulnerability had not been exploited by anyone except Lodoga's security testing.

However, Wood said the cross-site vulnerability was a common problem: "We have been running workshops this month and every client we deal with has the same problem. Developers haven't really realised how robust they have to be in terms of security coding. This is probably the number one problem, and companies really are jeopardising their trade name and potentially their customers' data," he said.