Phishers improve bait as they target ISPs

Phishers improve bait as they target ISPs

Summary: Even tech-savvy users could be fooled by the latest phishing scams, which have evolved beyond all recognition in their bid to steal credit card details, says an anti-phishing organisation

SHARE:
TOPICS: Security
2

Phishing attacks are reaching a point of sophistication where even the most Internet-savvy user could be fooled, said the Anti-Phishing Working Group (APWG) on Wednesday.

Phishing is where unsuspecting users receive emails that attempt to fool them into disclosing online banking passwords, by sending them to a site that mimics the look and feel of their bank's Web site.

However, according to the APGW, the organisations targeted by phishers have diversified, and the phishers' HTML skills have greatly improved.

The APWG was formed in November 2003 to provide a forum for financial institutions and other organisations, such as eBay, to share information in order to deal with the increasing number of phishing incidents. Dave Jevans, chairman of the APWG and a senior executive of security specialist Tumbleweed Communications, said that in the US, customers of ISPs have become a common target, and he expects customers of UK ISPs to come under attack in the near future.

"One of the major (US) ISPs received three phishing attacks last week, and each one resulted in tens of thousands of phone calls to its customer support line -- at considerable cost. It has surprised us that it hasn't yet happened over here," Jevans told ZDNet UK.

According to Jevans, the phishers are primarily after credit card information, so a typical scam email would tell the user that their credit card had expired or that the company was having a billing problem and needed the user to update their details. Although this idea is nothing new, the sophistication of the attacks has evolved dramatically.

"We have seen them change from having poor wording and weird mixes of Russian and English to a point where they take a real notification from an ISP and then modify the links," said Jevans.

A security vulnerability in Internet Explorer that was discovered in December gave the phishers a helping hand. This week, Microsoft released a patch to close the gap in its browser's security. But even before the patch was released, phishers had adapted their techniques.

According to the APWG, a new phishing method that people should be wary of is where the user receives an email from their ISP and when they click on the link, they are taken to the ISP's legitimate Web site in the main browser window; however, a new window pops up requesting their credit card information be entered. As pop-ups rarely display URL information, the user is less likely to be suspicious.

Stuart Okin, chief security officer at Microsoft UK, said that the vast majority of users, if they receive an email from their bank or another familiar organisation, should not click on the link but instead use their "favourites" folder to access the Web site: "If you have been using a banking site, you are likely to have that saved. So go to your favourites because you know you are safe there. That is going to be your trusted source," he said.

But Jevans also said that even this could be risky, because of a recent attack where phishers managed to reprogram a browser's favourites: "It doesn't work with all browsers, but they check the browser version. So they can reprogram your favourites too," he said.

Jevans said that for less sophisticated users, the safest method of accessing their bank's or ISP's Web site is to type in the URL: "For a consumer right now, type in the Web address by hand. That is the best way," he said.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • SpamPal and HtmlModify removes this problem!
    http://www.ib-hoebel.de/SpamPal/

    SpamPal: www.spampal.org
    anonymous
  • Maybe I'm stupid with this remark, but don't phishers have to have a bank account to be successful? Target the flow of the money. Find the bank and blackball then bank from perfroming any internet activity. Arrive at the phisher's home at 3am to discuss their phishing tactics. That should cut down on a great percentage of phishers.
    anonymous