Phishing threat increases as China connects up
Phishing is a type of online scam typically combining spam e-mail and fraudulent Web sites that look like legitimate sites. Such scams attempt to steal data such as user names, passwords and credit card details.
According to Symantec's bi-annual Internet Security Threat Report -- published earlier this month -- China experienced a 37 percent increase in bot-infected computers during the second half of last year. Symantec blames the country's rapid growth in broadband penetration. Such compromised computers can be used to launch phishing attacks without compromising a scammer's identity.
Additionally, compared to the Symantec's previous report, which was published in the middle of last year, the number of attacks originating from China have increased by 153 percent.
In one of the most recent examples of such an attack, customers of US-based Chase bank were targeted by phishers that had, unusually, managed to compromise some servers located inside a Chinese bank, according to Internet security firm SurfControl. The Chase brand is owned by financial giant JPMorgan Chase and Co.
The attack was disguised as an e-mail survey for customers of Chase. Potential victims were offered a US$20 reward for participating in a fraudulent 'survey' that asked them to divulge sensitive information.
Susan Larson, Vice President of SurfControl's Adaptive Threat Intelligence Service, said the threat was unique. "Today's threat is like no other we have seen in that the first reported instance of this Chase bank phishing scam was being hosted on a compromised server owned by a bank in China," she said in a statement.
"Many of the Web pages involved in this scam contain nearly identical source code leading us to believe this phishing attack is using a phishing kit and could become more widely distributed," added Larson.
Charles Heunemann, general manager for SurfControl APAC, told ZDNet Australia on Wednesday that the Chinese bank hosting the attack was most likely another victim of the phishers: "It is not efficient for [the phishers] to register a domain, get a Web site up and launch the phishing attack. It is better for them to compromise somebody else's site and use that to launch their attack. That is probably what was going on there."
SurfControl said that the information collected by phishers is often used to steal money from victims' accounts but it could also be used to steal their identities.
At the ID Management Summit 2006 in Sydney last week, Australia's Attorney General Philip Ruddock said that ID theft costs Australia more than AU$1 billion every year and has a "devastating emotional and financial impact" on its victims.
"Personal identity is an extremely valuable asset and can have a devastating emotional and financial impact upon victims. There can be no greater invasion of a person's privacy than the theft of their identity,' said Ruddock during a pre-recorded statement that was played at the conference opening.
Although the majority of phishing sites and victims are located in the US, Australia is becoming an increasingly attractive target for phishers, according to Rodney Mills, detective sergeant of the fraud strategy project team for the Victoria Police.
"The success rate of phishing is usually around 3 percent. Australia has 7 million online bankers. That means there is a potential response of 210,000 people. If they all lost AU$1,000 that is AU$210 million," said Mills during his keynote at last week's summit.
"The beauty for these criminals is that they could be sitting in their lounge room, having a beer while sending [phishing attacks] all around the world," added Mills.