Phishing attacks rocket as defences crumble
Phishing attacks continue to escalate both in numbers and sophistication according to Internet monitor Netcraft.
The headline figure is that the firm’s anti-phishing toolbar stopped 609,000 confirmed phishing sites last year. The figure dwarfs the respective figure for 2005: just 41,000.
Netcraft says that software kits making it relatively easy to create phishing attacks, and their propagation across botnets saw numbers explode in the final quarter of the year.
‘Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December,’ it says.
The phishing kits, known as Rockphish and R11, have allowed attackers to upload dozens of phish attacks on a range of banks directly to a hacked website.
Indeed it says the websites of the banks became hacking victims last year, with one Chinese bank – China Construction Bank (CCB) Shanghai Branch – hosting attacks targeting US banks.
The attackers are have also been keeping up with the Net Zeitgeist. MySpace phishing became a phenomenon in the second half of the year, as attackers sought to seed botnets – networks of infected computers – via social networking services such as MySpace, Orkut and LiveJournal.
And cross-site scripting vulnerabilities haven’t helped, plaguing both financial institutions and social networks. Such a problem on Paypal’s site allowed hackers to inject code into a web resource on Paypal’s site, creating fraudulent content, aimed at duping users into giving away account information. Cross-site scripting issues were also found on the web presence of a number of banks and financial services too, including Visa, JP Morgan Chase, eBay, Bank of America and American Express.
Furthermore, some of the methods hoped to help combat phishing have been found wanting. Two-factor authentication, whereby an account holder has a key fob generating a time-stamped one-time password, which must be entered along with passwords and usernames can be foiled via a man-in-the-middle attack. A fake log-in page can be used to grab data for both authentication methods and used immediately to gain access to the victim’s account.
More information, and the Netcraft toolbar, are available at the Netcraft site.