Phishers are becoming increasingly sophisticated in their attempts to grab user names, passwords and other personal data from users of commercial websites, according to latest industry research.
April's report from the Anti-Phishing Working Group, published on Monday, indicates an 11 percent drop in the number of reported attacks using simple IP address domains. The overall number of reports continued their upward trend to reach 14,441 for the month, said the APWG, which compiles its report with the help of WebSense.
The decline in the number of IP-only attacks, in which users are misdirected to a site that just has an IP address and so is less likely than one showing a domain name to deceive them, means phishers are getting better at disguising their scam attempts.
"A lot of the recent phishing sites use hijacked servers where the scam is located on the domain of a legitimate enterprise," said the APWG, adding that this technique requires the phishers to get access to the servers, typically by hacking or installing malware.
"This tactic gives the scammers the advantage of having a link that leads to a legitimate domain that cannot be blacklisted. In fact, it is likely that such a phishing message would get through a spam filter that uses ‘whitelisting’."
The number of brands targeted stayed the same from March to April, though there was significant churn within this group, with 11 brands being replaced. "The visible trend is that there is a consistent set of favourite brands targetted by phishers combined with an ever-changing tail of brands in the broader market," said the APWG.
"Brands in the favourites list tend to remain for a long time -- most of the big names are here -- and the ones in the tail frequently change." This separation has its logic, said the group: while some of the scammers count on the popularity of some brands to generate more hits to the phishing site (the ones in the favourites list), others try to scam the customers of companies that had not experienced the phenomenon so far, and are presumably less experienced in exposing phishing.
Financial services companies continued to be by far the most targeted industry sector, accounting for 84 percent of reported phishing attacks in April. ISPs accounted for 11 percent, followed by retail companies.
The APWG also said it had recorded a rise in the 'main-in-the-middle' phishing attacks. This type of attack uses some knowledge on the way a given legitimate site processes logins. Given such knowledge, a scammer can build a site that acts as a 'front end' mask for the legitimate login site – it would return an error message when incorrect login data is passed, for example.
Talkback
SELF HELP MEASURES AND CYBERSPACE
The problems associated with the use of malware used for phising purposes are not peculiar to any particular country as the menace is global in nature. The countries all over the world are facing this problem and are trying their level best to eliminate this problem. The problem, however, cannot be effectively curbed unless popular public support and a vigilant judiciary back it. The legislature cannot enact a law against the general public opinion of the nation at large. Thus, first a public support has to be obtained not only at the national level but at the international level as well. The people all over the world are not against the enactment of statutes curbing the use of malware, but they are conscious about their legitimate rights. Thus, the law to be enacted by the legislature must take care of public interest on a priority basis. This can be achieved if a suitable technology is supported by an apt legislation, which can exclusively take care of the menace created by the computers sending the malware and phising threats. Thus, the self-help measures recognised by the legislature should not be disproportionate and excessive than the threat received by the malware and phising attacks. Further, while using such self-help measures the property and rights of the general public should not be affected. It would also not be unreasonable to demand that such self-help measures should not themselves commit any illegal act or omission. Thus, a self-help measure should not be such as may destroy or steal the data or secret information stored in the computer of the person sending the malware or phising attack. It must be noted that two wrongs cannot make a thing right. Thus, a demarcating line between self-help and taking law in one’s own hand must be drawn. In the ultimate analysis we must not forget that self-help measures are “watchdogs and not blood-hounds”, and their purpose should be restricted to legitimate and proportionate defensive actions only. It will be sufficient to mention that only a computer can react fast enough to take care of the menace of malware or phising attacks and the traditional methods of law enforcement are helpless in this regard. The problems of lack of harmonisation, doubt regarding jurisdiction, lack of a uniform extradition law between various countries of the world, etc can be solved only by using a legitimate, proportionate and reasonable mechanism of self-help, which is not only instant but also free from technicalities and formalities.
Kindly see http://perry4law.blogspot.com/2005/06/private-defence-in-cyberspace_03.html for more details and Indian position.