Phishing attacks soar as more brands are targeted

Overall confidence in e-commerce has not been damaged despite the rises, according to one expert

Phishing attacks reached a new high at the end of 2005 after growing steadily all year, according to a report published on Wednesday.

The number of unique email-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report published by the Anti-Phishing Working Group (APWG), an industry consortium that provides information on phishing trends.

Phishing emails pretend to come from legitimate companies, such as banks and e-commerce sites, and are used by criminals to try and trick Web users into revealing personal information and account details.

The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 to 93 in November.

Despite these statistics, businesses should not worry about the effect on general consumer confidence, according to Internet security company Websense.

"One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," said Mark Murtagh, Websense technical director for Europe, the Middle East and Africa. "Although phishing is increasingly in the news, online banking is increasing in popularity."

Top brands are continuing to be hijacked, with phishers using established names to try and lure people to their sites, Websense said. Most phishing sites spoof global ecommerce and banking institutions.

"eBay is often spoofed, for obvious reasons. Google is increasingly being targeted because of its expansion into different business application models. The big banking names are used too — HSBC, Citigroup, Lloyds — all the major brands".

Phishers use of global brands in understandable, said Murtagh: "There's no point in using local names if the attack is global."

Attacks are becoming increasingly sophisticated, with a quarter of all phishing Web sites hosting keylogging malware. Users can become infected just by visiting the sites, Murtagh warned.

"Before, people had to click on a site to download malicious code. If they went to a Web site and thought it looked 'phishy', they could leave and probably not be harmed. Now with most phishing sites they just have to visit one to become infected.

"Twenty-five percent of those sites now host keylogging code, and if you visit one you will probably open yourself to identity theft or fraud."