Phishing Update: 'No Brand is Safe'Anti-Phishing Group Issues New Report on Trends Online fraud schemes and malware are casting an even wider net, far beyond the large national banks and well-known retailers, as phishers seek new victims.
This is the word from the Anti-Phishing Working Group (APWG), which has just issued its latest quarterly report on phishing trends.
According to the APWG's fourth quarter 2009 report, the number of hijacked brands hit a record 356 in October, compared to the previous record month of 341 in August 2009.
No brand, no matter how small or obscure, is safe from online fraud says APWG's Secretary General Peter Cassidy. "Once, only the largest banks were targeted," he says. "Now every kind of enterprise from banks and credit unions of all sizes to charities to, in a recent case, a hardware manufacturer, are seeing their brands exploited in all manner of fraud schemes."
Among the highlights:
- October's high of 46,522 unique phishing websites detected by the APWG was down 18 percent from the August, 2009 record high of 56,362.
- The number of unique brand-domain pairs rose to a quarter high of 23,380 in October, but it is still down 4 percent from the all-time high of 24,438 in August, 2009.
- There was an increase in rogueware variations of 36 percent in the fourth quarter 252,025, up from the third quarter's 158,980.
- The total number of infected computers dropped to 10,305,805 in the fourth quarter, representing more than 47.8 percent of the total sample of scanned computers, the lowest infection rate recorded in 2009.
This report backs up reports of businesses receiving phishing emails asking for recipients to take action or update their banking online passwords, as in the case of the Comerica Bank phishing lawsuit.
The number of unique phishing reports declined in the fourth quarter of 2009. But APWG members report these statistics cover up a more troubling trend, which is that there is a substantial increase in phishing focused on "high-value" targets, including employees with treasury authority.
"Spear-phishing and whale-phishing, where the targets are employees at corporations or those with high net worth, appear to be increasing," says Dave Jevans, APWG's Chairman. Jevans sees phishers and malware attackers sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources. These attacks do not contribute significantly to the overall number of unique phishing emails that are sent, as they are not using broad-based spam. Instead, the attackers customize their email messages to target individual users.