RealTime IT News

Scammers Hooking Bigger Phish

Business is good for phishers.

The size of their average catch increased almost five-fold, from $257 per victim last year to $1,244 in 2006.

According to Gartner analyst Avivah Litan, this is happening because scammers are identifying higher-income targets, moving their phishing sites more frequently and switching up the types of business they try to impersonate.

Victims click on links they receive in the body of e-mails -- and, increasingly, in instant messages -- from sites purporting to be legitimate businesses like financial institutions, e-commerce and auction sites.

Approximately 109 million U.S. adults have received phishing e-mail attacks, up from 57 million in 2004, according to Gartner.

Total loses from phishing attacks have risen to $2.8 billion in 2006, twice the amount lost in 2004.

According to the survey, conducted by Gartner analysts in August of this year, adults earning more than $100,000 per year are attacked more often than those making less.

This group reported receiving an average of 112 phishing e-mails in 2006, versus 74 e-mails per consumers across all income brackets.

On average, the high-income adults lost $4,362, almost four times as much as other victims.

According to Litan, cyber criminals have done a better job of identifying high-income individuals.

They sell each other credit card numbers in online chat rooms, and can identify credit cards with higher spending limits by the first six digits on the card.

They also get their hands on more promising lists, such as brokerage customers, figuring that those people are likely to have a high net worth.

Attackers also intercept the names of consumers participating in auctions for high-ticket items, such as cars.

Typically, the phishers wait until the end of an auction and then inform all the losers that they in fact won, getting them to send money for something they'll never get.

Banks and credit card companies tend to have liberal refund policies in order to maintain consumer confidence, Litan noted.

Nevertheless, the average amount of money consumers recovered after being victimized dropped from 80 percent in 2005 to just 54 percent in 2006.

Phishers are also moving from site to site more frequently, which means they can't be shut down as easily.

"The average life of phishing sites has gone from one week a couple of years ago to about one hour in 2006," said Litan.

"Within a year or so, phishing sites may be user-specific -- a single site will be set up to launch a phishing attack against a single user," she predicted.

"It's no wonder the detection services can't keep up with these rapid criminal movements."

Indeed, Litan told internetnews.com that consumer sites like eBay and PayPal, which are increasingly the foils for phishing scams, haven't been able to keep up with the crooks despite their best efforts.

"Nothing is working for them."

Litan said the solution is to improve security within the browser combined with the use of whitelists and other secure certificates on the server side, such as PKI .

Vendor groups such as the CA/Browser Forum have begun developing higher-level secure certificates to offer legitimate businesses.

The certificates work in conjunction with modern browsers to alert users when a site is a suspected fraud.

For an example of how this would work, security software vendor Verisign shows a screen shot of an address bar on a background that is green because the user has gone to a verified site.

McAfee rolled out an application earlier this week alerting users if they are about to visit an untrustworthy site.

Litan said vendors should take advantage of the fact that the infrastructure already exists to improve security on the Internet.

"The designers of the Internet did a great job. The hooks are all there, they just need to be utilized."