Phishers Becoming More Audacious In Approach
Theyâ€™re also becoming more sophisticated in terms of combating the anti-phishing mechanisms that companies, internet service providers and users are putting up to stop them, Emigh said, â€œIn conventional deception attacks, theyâ€™re using blacklist busting URLs, and itâ€™s where itâ€™s almost a game of â€˜Whack-A-Moleâ€™ to find and stop the phishing sites. Where blacklists and phishing toolbars are being integrated into browsers, the phishers are using unique subdomains for each group of emails to avoid being put on the blacklists,â€ he explained.
The number of phishing sites soared in 2006, and the number of U.S. consumers duped by phishing schemes has nearly doubled. In November 2006, the Anti-Phishing Working Group found 37,439 new sites, up 709 percent from the 4630 sites in November of 2005.
The need for more consumer education is coupled with the need for financial institutions to do the right thing in terms of practicing what they preach, Emigh said. â€œFinancial institutions compound problems for users by their own poor practices, such as using clickable links within their emails to customers, or having links that send the user to domains where it is not clear that it is the bankâ€™s domain, and also not using SSL on log in screen, or if they use it, not making it apparent to the user,â€ he said. Users learn by doing, he added. â€œFIs shouldnâ€™t expect that their customers should understand the finer points of authentication, and just educating their customers wonâ€™t be enough to stop phishing.â€ Pharming is also on the rise, and is much tougher for even experienced internet users to detect.
â€œIn the real world, you can pretty much tell if youâ€™re standing in front of a bank, with all the gleaming marble and glass, and at the same time, in the real world, you can quickly tell if youâ€™re dealing with a guy who is posing as a bank, but heâ€™s working out of a cardboard box on a street corner. On the Internet, itâ€™s not that easy to tell the difference, and the phisher can steal a bankâ€™s logo and create a site that looks like the bankâ€™s website,â€ he explained.
The online security indicators arenâ€™t that good where online users can say â€œthis is a cardboard cutout of my bank,â€ Emigh noted. Only differences are the obscure indicators, like the SSL lock icon, most users donâ€™t know that these should appear in a certain place.
The security indicators in the real world have evolved over a long period of time, and users can make sophisticated trust decisions based on what they know. In the online world, they are lacking so far to help people decide what is safe and what is fake. These new methods of authentication for users, including mutual authentication methods need to evolve and improve quickly to help buoy the trust in online banking, because cybercrime is growing very fast, and can erode trust in online banking, especially among those customers who have already been stung by phishing, he said.