Microsoft: Phishing is going out of fashion

Organised criminals are excited by botnets, not individual bank details, says Microsoft's chief security advisor Ed Gibson

Organised criminals are losing interest in harvesting consumer banking details, according to Microsoft UK chief security adviser Ed Gibson.

Speaking to ZDNet UK this week, Gibson said that powerful cybercriminals would not waste time trying to harvest individual banking details, but instead concentrate on acquiring networks of compromised PCs — botnets — to launch attacks against companies.

"Organised criminals are not really interested in bank details — criminals want bandwidth to attack companies," said Gibson. "Who's grabbing the details is changing."

The practice of phishing for bank details, in which fake emails claim to come from a legitimate financial institution and try to elicit account details, is traditionally associated with highly organised criminal networks. Gibson, though, claims it is moving further down the criminal food chain and being perpetrated by malicious individuals.

Now, serious cybercriminals are concentrating their efforts on gaining access to botnets, which are large networks of hijacked computers. They use botnets to attempt to extort money, by launching distributed denial of service (DDoS) attacks against an organisation's systems with information, causing it to crash. This can deprive an e-commerce site of visitors, and ultimately cost it money.

Gibson said that it was difficult for law enforcement to track phishing attacks because of the speed that hackers change the IP addresses and machines they use to launch attacks.

"These guys are box hopping every 90 seconds. You can identify an IP address in the UK, but in between it's gone to the US, Korea, Germany — how does law enforcement tackle that?" said Gibson.

Rather than law enforcement dealing with the problem, Gibson said that systems should be made more resilient to make such DDoS attacks less of a threat.

"I liken it to the same way a consortium of online gambling companies hardened their systems — now you don't hear much about the gambling companies being breached or extorted," said Gibson.