Phishing attacks rocket as defences crumble
By Matt Whipp
Posted on 15 Jan 2007 at 16:59
Phishing attacks continue to escalate both in numbers and sophistication according to Internet monitor Netcraft.
The headline figure is that the firm's anti-phishing toolbar stopped 609,000 confirmed phishing sites last year. The figure dwarfs the respective figure for 2005: just 41,000.
Netcraft says that software kits making it relatively easy to create phishing attacks, and their propagation across botnets saw numbers explode in the final quarter of the year.
'Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December,' it says.
The phishing kits, known as Rockphish and R11, have allowed attackers to upload dozens of phish attacks on a range of banks directly to a hacked website.
Indeed it says the websites of the banks became hacking victims last year, with one Chinese bank - China Construction Bank (CCB) Shanghai Branch - hosting attacks targeting US banks.
The attackers are have also been keeping up with the Net Zeitgeist. MySpace phishing became a phenomenon in the second half of the year, as attackers sought to seed botnets - networks of infected computers - via social networking services such as MySpace, Orkut and LiveJournal.
And cross-site scripting vulnerabilities haven't helped, plaguing both financial institutions and social networks. Such a problem on Paypal's site allowed hackers to inject code into a web resource on Paypal's site, creating fraudulent content, aimed at duping users into giving away account information. Cross-site scripting issues were also found on the web presence of a number of banks and financial services too, including Visa, JP Morgan Chase, eBay, Bank of America and American Express.
Furthermore, some of the methods hoped to help combat phishing have been found wanting. Two-factor authentication, whereby an account holder has a key fob generating a time-stamped one-time password, which must be entered along with passwords and usernames can be foiled via a man-in-the-middle attack. A fake log-in page can be used to grab data for both authentication methods and used immediately to gain access to the victim's account.
Phishers are also more technologically savvy, having moved on from mere HTML to Javascript, and most recently Flash. Flash movies give phishers a means of side-stepping anti-phishing scanners which look for textual evidence, such as the name of a bank.
More information, and the Netcraft toolbar, are available at the Netcraft site.
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Why virtualisation hasn't slowed the growth of data
- How to make Google AdWords work for your business
- The curse of sloppily written software
- Paying for your crimes with Bitcoin
- Behind the scenes: tech support for Formula 1
- The security risk of fat fingers
- Why Windows Phone 7 isn't quite ready for business
- When will Microsoft stop fiddling with Windows 8?
- Flash down the pan?
- Metro Style apps vs desktop applications
advertisement
Printed from www.pcpro.co.uk