Phishers' creative ways reap bounty

Number of unique phishing messages jumped 81 percent in the first half of 2006, which is a sign that hackers are putting more thought into their attacks, Symantec says.
Written by Vivian Yeo, Contributor

Phishers are resorting to various new tricks to harvest confidential, personal information from unsuspecting or careless users.

According to Symantec's latest Internet Security Threat Report, 157,477 unique phishing messages were identified in the first six months of 2006, representing an 81-percent jump over the second half of 2005 where over 86,900 messages were reported. Some 97,592 unique messages were recorded in the first half of 2005.

The biannual report also indicated that 1.3 billion phishing attempts were blocked in the first half of this year, down from 1.46 billion between July and December last year.

Similarly, the Anti-Phishing Work Group (APWG) reported that it detected 14,191 unique phishing Web sites in July. No figures are available yet for August or September.

In its most recent report, the APWG also noted that the number of unique phishing messages in July were the highest ever reported by the group. During that month, a total of 23,670 phishing reports were registered.

Yeong Chee Wai, Symantec's manager for pre-sales consulting, explained that the increase was driven by phishers who now create multiple messages with slight variances in order to bypass basic e-mail scanning programs.

"The bad guys are spending more time making their messages look like the real thing… They are becoming more discreet, and they are becoming more creative," Yeong said, during a media briefing in Singapore last week.

The security vendor reported that the financial services sector was the most heavily spoofed, where 84 percent of phishing sites masqueraded as financial services brands. About 8 percent of phishing sites targeted Internet service providers, while 5 percent were linked to the retail sector.

According to Symantec, "misleading applications" also accounted for 50 percent of total reports on the top 10 new security risks in the first half of 2006. Misleading applications use social engineering techniques to trick people into purchasing fake security software, through false or exaggerated reports that claim to have identified security threats on the victims' operating systems.

Yeong warned that such tactics are dangerous as the user's personal information such as credit card details, can be phished when he attempts to make the purchase. Not knowing that the transactions are fake, the user could also develop a false sense of protection from security threats, making him vulnerable to future attacks.

In Symantec's latest report, three of the top 10 new security risks found between January and June 2006 were labeled as "misleading applications".

Editorial standards