Printed from www.pcpro.co.uk
Phishing attacks rocket as defences crumble
Posted on 15 Jan 2007 at 16:59
Phishing attacks continue to escalate both in numbers and sophistication according to Internet monitor Netcraft.
The headline figure is that the firm's anti-phishing toolbar stopped 609,000 confirmed phishing sites last year. The figure dwarfs the respective figure for 2005: just 41,000.
Netcraft says that software kits making it relatively easy to create phishing attacks, and their propagation across botnets saw numbers explode in the final quarter of the year.
'Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December,' it says.
The phishing kits, known as Rockphish and R11, have allowed attackers to upload dozens of phish attacks on a range of banks directly to a hacked website.
Indeed it says the websites of the banks became hacking victims last year, with one Chinese bank - China Construction Bank (CCB) Shanghai Branch - hosting attacks targeting US banks.
The attackers are have also been keeping up with the Net Zeitgeist. MySpace phishing became a phenomenon in the second half of the year, as attackers sought to seed botnets - networks of infected computers - via social networking services such as MySpace, Orkut and LiveJournal.
And cross-site scripting vulnerabilities haven't helped, plaguing both financial institutions and social networks. Such a problem on Paypal's site allowed hackers to inject code into a web resource on Paypal's site, creating fraudulent content, aimed at duping users into giving away account information. Cross-site scripting issues were also found on the web presence of a number of banks and financial services too, including Visa, JP Morgan Chase, eBay, Bank of America and American Express.
Furthermore, some of the methods hoped to help combat phishing have been found wanting. Two-factor authentication, whereby an account holder has a key fob generating a time-stamped one-time password, which must be entered along with passwords and usernames can be foiled via a man-in-the-middle attack. A fake log-in page can be used to grab data for both authentication methods and used immediately to gain access to the victim's account.
Phishers are also more technologically savvy, having moved on from mere HTML to Javascript, and most recently Flash. Flash movies give phishers a means of side-stepping anti-phishing scanners which look for textual evidence, such as the name of a bank.
More information, and the Netcraft toolbar, are available at the Netcraft site.
Author: Matt Whipp
advertisement
- Need a bit of extra Christmas cash? Grass up your boss, says BSA
- Photoshop Mobile on Android review: first look
- ATI Radeon HD 5970: 42% more expensive in the UK
- Office 2010 Beta – 32-bit or 64-bit – The Choice is Clear
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Getting to grips with Microsoft's IT Health Environment Scanner
- Virtualise your servers
- The changing face of travel gadgets
- Build your own distributed file system
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
advertisement
