Banks under fire as phishing attacks accelerate

Banks under fire as phishing attacks accelerate

Summary: A recent report says the fraud attacks on banking brands and their customers worldwide have risen steadily over the past six months

SHARE:
TOPICS: Security
7

Phishing attacks on banking organisations and their customers across the globe have increased steadily over the past six months, according to the latest fraud report from security software specialist RSA.

The report said the number of banking brands targeted by phishing attacks reached 188 in February, up from a low of 153 in August 2006. Interestingly, European financial services hub Germany does not appear on RSA's list of top phishing destinations.

In a white paper published last year, a senior researcher at the company observed: "There are certain geographical regions that are already almost exclusively hit by financial Trojans. For example, in Germany, more than 90 percent of online banking fraud is the direct result of Trojans. The same can be said for Benelux, Switzerland and other geographies. In these geographies, regulations or laws have mandated strong authentication at login for online banking services which makes simple fraud attacks like phishing, replaying credentials from stolen databases, or brute-force guessing less effective."

US banking brands are the most targeted, with 59 percent of attacked entities being in that country. The UK comes second for the 13th consecutive month, holding 12 percent of the brands being targeted. Ireland has appeared on the list of banking brand destinations for the first time this month, as has Brazil.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • The log files already have the solution

    Having examined a number of phishing pages, they pretty much all refer to the original page graphics on the genuine bank web site. Presumably therefore, the banks web site will have logs of the referring pages for the graphics files, so therefore the addresses of all the current phishing pages.

    Why can they not use this info to get these pages shut down!? I made this suggestion to my own bank a while ago and didn't even get an acknowledgment of the mail, let alone an actual response .. and this was after resending the message and asking for an acknowledgment .. several times.

    The fact that they are not doing the log file tracing, or even bothering to be polite to their customers about the subject, means to me that they're not really that bothered about OUR security, as long as THEY don't have to stump up for anything and can keep investing in packages of dodgy US mortgages while claiming 7 digit bonuses.
    anonymous
  • Irish banks already in phishing firing line for 3 years

    RSA's apparent claim that Ireland's banks have somehow evaded the scourge of phishing attacks until the last few weeks is demonstrably ill-informed.

    Envisional and other Internet intelligence companies have tracked repeated assaults targeting customers of Bank of Ireland, in particular, since early 2005.

    These attacks have used the full range of tried and tested approaches, from the "Security Upgrade Notification" and "Your account has been suspended" gambits to a cynical invitation to "Secure your account against fraudsters".

    Perhaps the Irish aren't all that lucky, after all.

    -- Ian Shircore, Envisional/NetNames
    1000333946
  • Image Leeching only temp fix

    I agree that tracing image leeching (where the phishing sites are linking to images on the real site) would help banks to get some phishing sites closed down. I am not too shocked at the banks lack of response. Unless the message gets to the right people it is likely to be not understood and ignored. They should do better.

    This would only be a temporary fix though as the phishing sites will start downloading the images and re-hosting it themselves. However, it would me more work for them and may shut down a lot of sites until they figure out what is going on.
    david@...
  • How would they know

    I agree that they can indeed upload the images to the same host as the base page and that this would defeat the measures. It would also make the phishing code load on the host server that much bigger and potentially more noticeable. However, if the banks were to instrument the images on their home pages such that if they are requested by a requester that isn't on their own site, it sends an alarm to the Phishing team. The only people that would know that an alarm had been tripped would be the security folks at the bank. The phishers wouldn't know if they had been sussed by a customer who raised the alarm, or by the bank themselves.
    anonymous
  • Phisers use the web

    Phishers are not stupid and although there is no way for them to know a bank has started using this technique it wouldn't take them too long to figure it out either by reading posts like this or from seeing how quick their sites are getting shut down.

    Just like a trojan writer can't know what an anti-virus/firewall developer will do next to combat them they can see the success rate of their apps and adapt them and work out what they need to change. Phishers will do the same.

    Fortunately they are not a threat to the tech savvy as following a few simple rules will help you avoid falling for phishing attacks such as checking for http<strong>s</strong> in the address bar and that the URL is correct etc. I personally never follow a link to a login page from an email if it involves finances. I will type the domain in manually so I am sure I have gone to the correct site.

    Phishers target the naive so I agree the banks should be doing more to help those ones - either by educating them about phishing or by actively searching for phishing sites and getting them taken down. It is foolish not to use every tool they can to help this includes working with browser developers so that their anti-phishing methods are followed up by getting the sites closed and not just flagged. And as the previous poster said checking logs to catch image leechers running Phishing sites.

    If the bank is too lazy or under resourced to get phishing sites shut down at very least they can take steps to protect images so that cannot be leeched onto anysite like flickr does.
    david@...
  • Phisers use the web

    Phishers are not stupid and although there is no way for them to know a bank has started using this technique it wouldn't take them too long to figure it out either by reading posts like this or from seeing how quick their sites are getting shut down.

    Just like a trojan writer can't know what an anti-virus/firewall developer will do next to combat them they can see the success rate of their apps and adapt them and work out what they need to change. Phishers will do the same.

    Fortunately they are not a threat to the tech savvy as following a few simple rules will help you avoid falling for phishing attacks such as checking for http<strong>s</strong> in the address bar and that the URL is correct etc. I personally never follow a link to a login page from an email if it involves finances. I will type the domain in manually so I am sure I have gone to the correct site.

    Phishers target the naive so I agree the banks should be doing more to help those ones - either by educating them about phishing or by actively searching for phishing sites and getting them taken down. It is foolish not to use every tool they can to help this includes working with browser developers so that their anti-phishing methods are followed up by getting the sites closed and not just flagged. And as the previous poster said checking logs to catch image leechers running Phishing sites.

    If the bank is too lazy or under resourced to get phishing sites shut down at very least they can take steps to protect images so that cannot be leeched onto anysite like flickr does.
    david@...
  • Authorities need to get tough on phishers

    I think banks need to be proactive in tackling phishing and work along side the authorities to try to trace and prosecute phishers. Until there are definite consequences and a real interest from the banks and Authorities it will only continue to flourish.
    chrishocking@...