Last week, the Anti-Phishing Working Group, an online fraud watchdog, reported that the number of phishing e-mails it tracked between January and February grew by only 2 percent.
That figure seems to mark a significant lessening of the threat, given that the average growth rate has been 26 percent per month since July 2004. But during the January-February period, phishing attacks also became dramatically more complex, experts said.
Whatever form they take, phishing fraud schemes -- including offshoots such as pharming, cross-site scripting and DNS (domain name server) poisoning -- are getting smarter.
"Phishers are thieves, and thieves in the online world, as in the real world, are working very hard to separate personal financial information and other data from their victims," Microsoft attorney Aaron Kornblum said.
The software maker recently filed 117 lawsuits against alleged operators of phishing Web sites -- a major step forward in thwarting online criminals, according to Kornblum.
However, he acknowledged that there may be as much to fear in the future of phishing as there is to learn from its past.
Criminals have adopted a range of strategies to try to part online consumers from their personal data.
E-mail phishing
Pharming
IM phishing
Cross-site scripting
URL hijackingMany types of phishers in the sea
Crooks send out fraudulent e-mails that look like they come from legitimate sources and ask people to click through to spoofed versions of company Web sites.
Online thieves redirect people from legitimate sites to malicious ones, mainly using a "DNS poisoning" technique. Thieves target domain name servers -- the white pages of the Internet -- and swap out the numeric addresses of the Web sites.
Fraudsters distribute IM messages that contain links to fake Web sites. The messages are crafted to look like they come from a known contact on an individual's IM buddy list.
Tech-savvy criminals use JavaScript code to put their content on top of legitimate pages -- most often, the Web sites of banks. Commonly, they insert a fake customer login box meant to steal password data.
Opportunists find and exploit unprotected URLs maintained by real businesses to redirect users to phishing sites.
New crooks, more-effective tricks
The first wave of phishing attacks played on the ignorance of unsuspecting consumers, spamming their in-boxes with e-mails that looked like they linked to Web sites belonging to banks, investment companies and e-commerce businesses such as eBay. In reality, they were fake pages designed to lure people into divulging account login data, or other sensitive personal information that could enable the crooks to commit identity fraud.
Recent attacks have gotten more sophisticated, with advances in phishing schemes that use e-mail and the creation of fraudulent Web pages that appear almost identical to their legitimate counterparts.
And new threats have arisen: Attacks based on instant messaging; ploys that use JavaScript technology to hide threats on legitimate Web pages; and new social-engineering strategies.
One of the most telling examples of improved social-engineering techniques is a recent attack that didn't seek to nab victims' names, addresses or Social Security numbers.
Instead, the scheme targeted customers of Salesforce.com, with the aim of stealing information stored on the company's databases.
Continued ...
6%
2%
