Scammers Hooking Bigger Phish

Business is good for phishers.

The size of their average catch increased almost five-fold, from $257 per
victim last year to $1,244 in 2006.

According to Gartner analyst Avivah Litan, this is happening because
scammers are identifying higher-income targets, moving their phishing sites
more frequently and switching up the types of business they try to
impersonate.

Victims click on links they receive in the body of e-mails — and,
increasingly, in instant messages — from sites purporting to be legitimate
businesses like financial institutions, e-commerce and auction sites.

Approximately 109 million U.S. adults have received phishing e-mail attacks,
up from 57 million in 2004, according to Gartner.

Total loses from phishing attacks have risen to $2.8 billion in 2006, twice
the amount lost in 2004.

According to the survey, conducted by Gartner analysts in August of this
year, adults earning more than $100,000 per year are attacked more often
than those making less.

This group reported receiving an average of 112 phishing e-mails in 2006,
versus 74 e-mails per consumers across all income brackets.

On average, the high-income adults lost $4,362, almost four times as much as
other victims.

According to Litan, cyber criminals have done a better job of identifying
high-income individuals.

They sell each other credit card numbers in online chat rooms, and can
identify credit cards with higher spending limits by the first six digits on
the card.

They also get their hands on more promising lists, such as brokerage
customers, figuring that those people are likely to have a high net worth.

Attackers also intercept the names of consumers participating in auctions
for high-ticket items, such as cars.

Typically, the phishers wait until the end of an auction and then inform all
the losers that they in fact won, getting them to send money for something
they’ll never get.

Banks and credit card companies tend to have liberal refund policies in order to maintain consumer confidence, Litan noted.

Nevertheless, the average amount of money consumers recovered after being
victimized dropped from 80 percent in 2005 to just 54 percent in 2006.

Phishers are also moving from site to site more frequently, which means they
can’t be shut down as easily.

“The average life of phishing sites has gone from one week a couple of years
ago to about one hour in 2006,” said Litan.

“Within a year or so, phishing sites may be user-specific — a single site
will be set up to launch a phishing attack against a single user,” she
predicted.

“It’s no wonder the detection services can’t keep up with these rapid
criminal movements.”

Indeed, Litan told internetnews.com that consumer sites like eBay
and PayPal, which are increasingly the foils for
phishing scams, haven’t been able to keep up with the crooks despite their
best efforts.

“Nothing is working for them.”

Litan said the solution is to improve security within the browser combined
with the use of whitelists and other secure certificates on the server side,
such as PKI .

Vendor groups such as the CA/Browser Forum have begun
developing higher-level secure certificates to offer legitimate businesses.

The certificates work in conjunction with modern browsers to alert users
when a site is a suspected fraud.

For an example of how this would work, security software vendor Verisign
shows a screen shot of an address bar on a
background that is green because the user has gone to a verified site.

McAfee rolled out an application earlier this
week alerting users if they are about to visit an untrustworthy site.

Litan said vendors should take advantage of the fact that the infrastructure
already exists to improve security on the Internet.

“The designers of the Internet did a great job. The hooks are all there,
they just need to be utilized.”