Trends in Phishing 2004

The Facts

According to analysts, more than 57 million adults think that they have received a phishing email, while the Anti-Phishing Working Group estimates a 38 percent average monthly growth rate in phishing attacks.

In addition to the rapid acceleration of this form of online fraud, the social engineering behind phishing has evolved quickly and alarmingly. Phishing emails and Web sites are no longer simplistic replicas of the brands they are mimicking; they have become increasingly sophisticated in their construction. In fact, phishers have even been known to perform test marketing to maximize “take rates” at each step of the attack.

In 2002, most phishing sites were hosted on free services of major ISPs in the United States. In 2003/2004, a huge percentage have migrated to foreign ISPs or personal computers that have been infected by malicious code, unbeknownst to their owners. The latest genre of phishing sites not only attempt to trick users into divulging personal information, but also download eavesdropping threats like Trojan horses and keystroke loggers onto visitors’ PCs. These malicious programs give hackers control of infected machines, enabling them to use compromised systems to further propagate phishing scams. To avoid detection, criminals also move their phishing sites from one IP address to another — often on an hourly basis.

Together, these factors make shutting down phishing sites or accurately tracking their URLs increasingly difficult, yielding longer-lasting attacks that expose more users to potential loss of identity.

Identity Theft

According to the Identity Theft Resource Center, identity theft is the fastest growing crime in USA.* Criminals are stealing information by eavesdropping on calls placed on cell phones, by intercepting emails, by launching phishing attacks, by hacking into computers, by using telephone and email scams, and by leveraging weaknesses in online shopping and banking sites. In fact, the FTC estimates that more than 20% of all identity theft cases involve telecommunications and the Internet, a number that experts predict will grow over the course of the next few years.

Credit card numbers, Social Security numbers, and other personal data are commonly traded and sold by hackers, a trend that concerns authorities and consumers alike. An eWeek article reported that “The primary drivers behind the increase in attacks and malware lately are more people writing viruses and attacking systems, and the rise of a global market for exploit code and compromised machines. PCs that have been compromised and loaded with a Trojan or IRC bot are hot commodities in the security underground, and crackers often trade or sell these machines to each other.”

Some cold, hard facts about identity theft:

  1. Identity theft is expected to cost consumers, businesses and government organizations US$221 billion in losses worldwide in 2003, according to market researcher Aberdeen Group. Worse yet, those losses are escalating at a jaw dropping 300 percent compound annual growth rate, and could reach $2 trillion by the end of 2005.
  2. According to 2 studies done in July 2003 (Gartner Research and Harris Interactive), approximately 7 million people became victims of identity theft in the prior 12 months. That equals 19,178 per day, 799 per hour, 13.3 per minute.
  3. The incidence of victimization increased 11-20% between 2001-2002 and 80% between 2002 -2003 (Harris Interactive). This same study found that 91% of respondents do not see an “end to the tunnel” and expect a heavy increase in victimization. 49% also stated that they do not feel they know how to adequately protect themselves from this crime.
  4. The Federal Trade Commission (FTC) reports that 27.3 million Americans were victimized by identity theft in the past five years, costing consumers $5 billion and businesses nearly $48 billion in 2002 alone.
  5. According to J. Howard Beales, Director of the FTC’s Bureau of Consumer Protection, identity theft has been the #1 complaint to the FTC for the last 3 years in a row — by far. Last year, identity theft represented 43% of all the complaints placed with the FTC.
  6. Nearly 40% of the banks participating in the American Banking Association’s 2002 survey on fraud ranked identity theft as the No. 1 threat to the banking industry.
  7. International Data Corporation reports that electronic identity theft cost banks and mutual fund companies more than $4 billion in 2003.
  8. The United States Treasury’s identity theft fact sheet reports that 90% of homeowners are concerned that they will be a target of identity theft.
  9. Celent Communications estimates that by 2006, 25% of all identity theft will be committed with information found online.
  10. The commanding officer of the NYPD’s Computer Crime Squad estimated that he could clear $4,000 to $10,000 by stealing someone’s identity. Everyday robbery would get about $200.
  11. According to new ITRC study, Identity Theft: The Aftermath, victims now spend an average of 600 hours recovering from this crime, often over a period of years. Three years ago the average was 175 hours of time, representing an increase of about 2470%. Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income.
  12. The ITRC reports “Trojan horses have become more sophisticated in recent years, as hackers use them to scan your system for vital information (credit card numbers, SSNs, bank account numbers), and use the retrieved information to open accounts, run up huge credit card debt, or drain the bank accounts of unsuspecting victims.”

    Recent worm attacks, including MyDoom, Blaster, SoBig, and Fizzer, contained back-door Trojan capabilities that enable hackers to eavesdrop on PCs.

*Statistics quoted from the ITRC are for informational purposes only and do not represent a product endorsement from the ITRC.

Trends

Since WholeSecurity began detecting new phishing sites for our customers in the summer of 2003, they have detected thousands of attacks. In analyzing these attacks, several prominent trends have emerged:

  • A year ago, customers estimated that 40% of spoof sites were on free hosting services of major US ISPs; today a huge percentage are on small foreign ISPs and individual users’ machines who have been compromised by malicious code. It is much more difficult to take these sites down and this results in longer lasting phishing sites and exposes more users to potential loss of their identities.
  • A year ago, only the security and fraud teams of major corporations were involved in anti-phishing efforts. Now most anti-phishing efforts also involve business professionals that are trying to maintain consumer confidence in cost-effective online commerce and electronic marketing channels. Lack of consumer confidence affects all online companies—not just those that know they have been spoofed.
  • Hackers continue to evolve their attacks and leverage these attacks across multiple companies. WholeSecurity has repeatedly seen a new attack emerge in a spoofed version of one company’s site, and then seen the same attack used against other brands immediately afterwards.
  • The social engineering behind phishing attacks has evolved to ensure that consumers continue to be vulnerable. When WholeSecurity first started detecting sites, phishers were predominantly using obvious scare tactics like “Your Account Will Be Terminated” or “We’ve Noticed Fraudulent Activity on Your Account.” Today, many attacks today are far more subtle and often don’t raise suspicion. They appear to be benign emails from a relative passing along photos, arriving with a “You’ve Got Pictures” subject line, or even solicit campaign donations for the US Presidential elections in November 2004.
  • Some phishing sites take things a step further—a new genre of phishing sites are deploying malicious eavesdropping programs like Trojan horses or keystroke loggers. Even if the victim does not enter their personal information on the site, hackers can steal directly from the users’ computer long after the site has been shut down. Compromised user machines can subsequently be used to host future phishing sites, as well.
  • Phishing sites are very transient. While this may sound obvious, the fact that sites are up and down, or moving from one IP address to another frequently, means that solutions that ‘spider’ the Internet may not be able to catch up to the site before it has moved.
  • Companies are acknowledging that this is an industry-wide problem, and are building multiple consortia to try to tackle the problem together—even working with traditional competitors.
  • Phishing has gone mainstream. With every major publication from The Wall Street Journal to USA Today running articles about phishing—mostly driven by a notable company being attacked—companies are working harder than ever to avoid this unwanted, consumer-facing publicity.