The Anti-Phishing Working Group, a consortium of businesses and law enforcement officials, said Thursday that 85 percent of all reported phishing attacks during the month of December directly focused on banks and similar companies.
Phishing schemes typically consist of e-mail messages that appear to come from trusted companies which attempt to lure people to bogus Web sites where they're asked to divulge sensitive personal information. Once armed with that data, criminals will often attempt to use it to commit identity fraud.
Overall, the group said that there were 9,019 new, unique phishing campaigns reported over the course of December, representing a 6 percent increase over November's total. Since July 2004, when there were only 2,625 reported attacks, the volume of new schemes has grown by approximately 38 percent.
APWG said that the number of Web sites supporting the scams has grown at an even faster rate. In December, there were 1,707 phishing-related sites reported--a jump of 10 percent over November, when the group tracked 1,546 such fraudulent URLs. The tally has increased by roughly 24 percent per month since August 2004.
The APWG report also found that the number of individual companies targeted by the schemes is growing. There were 55 brands specifically mentioned in phishing campaigns last month--up from 51 companies in November, and 44 in October 2004.
Executives at APWG said the predominance of financial services phishing scams during the month of December bucked the widely held notion that retail sites would come under intense attack as unsuspecting consumers logged on to do their holiday season shopping.
"The concurrent proliferation of targeted brands and concentration of phishing focus on financial institutions is, of course, disturbing," APWG Chairman David Jevans said in a statement. "No brand is really safe, but it is interesting to note that the concentration on phishing attacks against financial institutions actually increased to a new high during a time when many were concerned that opportunistic phishers would spoof retail sites."
In a recent interview, Mike Cunningham, senior vice president of fraud management at Chase Card Services, a division of financial services giant JPMorgan Chase, said that despite the proliferation of phishing schemes aimed at companies in his industry, consumers have yet to grow reluctant to conduct their business online.
"I don't believe customers are avoiding the online channel because of (phishing), I think they're becoming more wary and figuring out what sort of things banks will or will not send you via e-mail," Cunningham said. "We haven't seen any decline in use of online channels and, in fact, that business continues to grow."
However, industry watchers following the growth of the phishing phenomenon have predicted that that the explosion of financial services-oriented scams could have a long-term effect on that industry and encourage customers not to communicate with their providers via the Web.
"At one point we thought these attacks were rare, but now they are so common in financial institutions that we see huge amounts of them and have to continually warn people to be wary," said Susan Larson, vice president of global content for SurfControl, a company that markets e-mail filtering software. "There's a growing perception that you have to be careful of anything coming from financial institutions, or companies like PayPal, and that can't be good for business in the long run."
Keyloggers are legitimate software? Here is an example:
Spyware Name: 'Spy My PC' (Pro)
Type: System Monitor downloaded without my express consent in company network
Developer: http://www.benutec.com/
Purported Use: employee monitoring - software code hacked and then shared on internet with expressive purpose of key-logging via trojan
How Discovered:
• Webroot Spysweeper detected exact during daily scan on company laptop;
• Spybot Search&Destroy (latest version) failed to detect it
• Lavasoft Ad-Aware SE Plus failed to detect
• SOPHOS also failed to detect this or even scan for it
Highlights:
• There are many differences in anti-virus and anti-spyware definition lists
• some anti-virus firms are not distinguishing any difference between a virus and a monitor by releasing virus definitions, without re-branding the definition as spyware, to save their market share after advising consumers, who have paid for products at the shopfront, AV protects them completely eg current open flaw in Norton Anti-Virus relating to scanning for viruses)
• lack of national and international nomenclature standard – same as for virus naming
• abilities of spyware writers to use software modules may also lead to false names being applied to legitimate system monitors
• spyware writers are now effectively hiding system monitors within Trojan variations
• major deficiencies in ‘100% safe’ claims from anti-virus companies, adding to confusion on subject of anti-spyware
Webroot Description:
SpyMyPC PRO is award-winning, highly flexible, all-round desktop security monitoring solution, the best choice if you want to know what others are doing on your own computer. Spy My PC PRO Logs all keystrokes, applications, windows, websites, Internet connections, p****words and chats.”
Additional Example Loading from Game:
Note: The following is a blog from a gamer who was protected by Webroot SpySweeper
http://absolutist.com/games.html - Axy Snake game downloaded with System Monitor attached –
I wanted to let you know what happened to me at this site. I downloaded the Axy Snake game [trial version] last night. OH, Its a fun game alright...but when I ran Spysweeper..
it put up I had[ AxySnake Spy My PC Pro]..
all in the same box and was considered spyware.!!!
I cant beleive they would do this...Spy My PC is a download you can buy to watch every move that happens in YOUR pc. Any one here think I need to do system restore? I AM SO UPSET THAT THEY CAN NOW SEE AND KNOW EVERY KEY STROKE AND ALL MY PERSONAL STUFF.!! Any advice?..Apparently you get that Spy tool installed along with the game.
Isnt this the lowest thing you can
Ok, so who should be suing who?
Reference Information on Keylogging: http://www.netadmintools.com/part215.html