Phishing Attacks Soar
By Gregg Keizer ,
TechWeb News

E-mail phishing attacks jumped over 400 percent during the holidays, according to an analysis released Wednesday of scams reported to clearinghouse Anti-Phishing.org.

Phishing, the term used to describe malignant e-mail posing as legitimate messages from banks, retailers, and credit card companies, soared in November and December as scammers took advantage of the holiday rush to try to trick users into divulging personal and financial information.

In the past two weeks alone, an estimated 60 million phishing e-mails have been sent to users, said Tumbleweed Communications, an anti-spam and secure messaging vendor that compiled the numbers from Anti-Phishing.org. Because the phishing messages often look remarkably official, down to logos and professionally-designed forms for entering credit card information, an average of 5 percent of those who receive them respond.

Among the holiday-themed phishing attacks recently spotted by Anti-Fishing.org is a spoofed e-mail purporting to be from America Online. Users are told that an electronic greeting card is waiting for pickup, but before it can be retrieved, the user is asked to log into his or her AOL account. That information is, however, transmitted to the scammer, who then has access to the account.

Other recently-reported phishing attacks, such as one that claims to be from Visa which requests users to log onto their online Visa account, make use of an unpatched vulnerability in Internet Explorer to spoof URLs displayed in the popular browser. While the actual Web site visited is bogus, the address displayed in IE's address bar appears to be the real deal.

“Consumer phishing attacks are dangerous, and are quickly increasing both in number and in sophistication,” said Dave Jevans, a senior vice president at Tumbleweed and the chairman of the Anti-Phishing Working Group, which hosts the Anti-Phishing.org Web site.

“To most Internet users, the e-mails and Web sites are indistinguishable from legitimate business communications. The spam epidemic has rapidly evolved from a nuisance to a real security threat with the shift from dubious advertising to financial crime and identity theft,” he added.

The phishing analysis showed that eBay customers have been especially targeted by scammers, with two-dozen separate attacks over the past 60 days, while financial institutions as a group, including banks, credit card companies, and the e-payment service PayPal, were the butt of 35 such attacks in the same period.

Several self-propagating worms have been launched recently that play to the phishing increase. MiMail. for instance, a worm that went through several permutations in just a matter of days, originally aimed its bogus request for information at PayPal users. And last week, another worm -- dubbed W32/Cayam -- targeted eBay users in the hope that they would give up all kinds of financial data, including credit card and checking account information.

More at TechWeb