RealTime IT News

Who's Taking the Bait: 'Phishing' Skyrockets

You might say everyone in the online scamming industry has gone "phishing," judging by skyrocketing statistics on the scam from MessageLabs and other online security groups.

MessageLabs said e-mail scams by way of phishing -- those legitimate-looking e-mails that try to trick users into surrendering private information that will be used for identity theft -- jumped by about 1,200 percent in the past six months.

In September of 2003, the company's system logged 279 different phishing e-mail attempts around the Internet. By January, the number of scams numbered 337,050.

Ken Dunham, director of malicious code watch at security consulting firm iDefence, said the company has also noted a significant increase in phishing attacks over the same period. But he also said the reported statistical increase may also be due to an increase in the tracking of phishing attacks.

"Clearly several organizations are now tracking phishing attacks with a rather new data set," Dunham told internetnews.com. "As a result the baseline is not as reliable as compared to say five years worth of data with a similar data collection effort."

Still, despite the lack of longer term statistical data, Dunham agrees that phishing scams and attacks are on the rise, especially within the past nine months.

"I think that they [Message Labs] are on to the same [data] that we've been seeing," added Dan Maier, a spokesperson for The Anti-Phishing Working Group (APWG), which tracks the practice.

"It's definitely growing extremely fast. We've seen 50 percent per month growth on average for the past four months," he told internetnews.com. However, he disputed the actual numbers that MessageLabs reported in terms of attacks; the group actually thinks the number is much higher.

"MessageLabs is seeing a percentage of these things, and the percentage that they are seeing is representative of the growth rate, but I think they are only seeing a small percentage," Maier added.

The APWG measures phishing in a different way that leads to a very different number than the one reported by MessageLabs statistics. Maier contends that MessageLabs is only able to report on phished emails through their service and as such are only able to identify a number of instances of a phishing message.

"We look at it a bit differently," Maier told internetnews.com. "What we look at is each unique attack." For each instance of a unique attack there could be many subsequent e-mail attacks of a scammer trying to fool an unsuspecting e-mail recipient into handing over social security numbers, credit card numbers, or other sensitive personal data.

He cited the example of a bank the APWG was talking to that estimated that from 1 unique attack, a phisher then sent out 8 million similar e-mail scams.

"So for the 400 unique attacks in the month of March," Maier continued, "there could have been hundreds of millions of phishing emails sent out."

According the APWG spokesperson, phishing is evolving and proliferating in the same way as viruses and Trojans are.

"There's a lot of copycatting going on," Maier said. "Phishers are sharing their secrets and their fraud best practices with each other."

But the APWG is also sharing tips on combating the practice. The group counts over 230 participating companies and over 70 technology vendors all aligned with the working group's goals to combat what's fast becoming a phishing epidemic.

"What we're going to do is tap the vendor community for their best proposals for solving the problem," Maier said. "Or at least identify the solutions that are most effective and we're doing that."

Both Ebay and Earthlink currently offer downloadable toolbars that are intended to help users protect themselves against phishing attacks.