Phishers Moving Away From E-Mail ’Lures’

Phishing attacks were up slightly in February, the Anti-Phishing Working Group reported last week, but the trend toward even sneakier ways of scamming identities is growing quickly.

According to the latest report from the Anti-Phishing Working Group, a coalition of technology companies and law enforcement agencies devoted to eliminating ID theft, the number of phishing e-mail campaigns during February climbed by 2 percent over January, even though the former was three days shorter.

More important, however, is that phishing without an accompanying e-mail "lure" is becoming more common. So called "pharming" attacks don't rely on legitimate-looking e-mails to lure users to fake Web sites, but automate that process by planting malicious code on vulnerable systems, then modifying the PC's HOSTS file to point to fraudulent sites rather than to the real deal.

"There's a continuing trend in the sophistication of the phishers," said Dan Hubbard, a lead investigator with Websense's security lab. (The San Diego-based Websense is a member of the APWG, and contributes analysis to the group's monthly reports.) "They're constantly getting trickier. Unfortunately, when they start pharming and modifying HOSTS files, a lot of the usual kind of advice about avoiding phishing goes right out the window."

With malicious code playing an ever-more-important part in phishing attacks, Hubbard said, users have to step up their defenses. "Don't open unexpected file attachments, of course," he said, "and change passwords often. You might also look into some other solution rather than static passwords."

Those schemes, including two-factor authorization, sometimes hinge on hardware, like USB-based password generators.

Phishers are also expanding the list of their targets, said Hubbard, both by targeting ever-smaller financial institutions and by branching out into previously "safe" kind of sites.

"We've seen a large number of small e-commerce sites and regional banks becoming victims of phishing attacks," said Hubbard.

A pair of recent phishing attacks that Websense has tracked illustrated how criminals are setting sights on unusual Web sites that don't fit the typical financial and/or e-commerce pattern, Hubbard added.

One from just over a week ago was aimed at players of the multiplayer online World of Warcraft game. "The phish didn't depend on e-mail, but on a cousin URL that's just one character off the real address," said Hubbard. Players who mistyped the real address saw what appeared to be a legit log-in site; it was really a bogus site collecting usernames and passwords for the game.

"The phishers are after these online identities, because they can buy and sell them to other players," said Hubbard.

On Monday, Websense said it had received reports of a phishing attack directed at Monster.com, the online job posting Web site. Users receive a spoofed e-mail, supposedly from Monster.com's customer service, saying that their account has been suspended, and that they need to login to check their information.

"We're trying to figure out the motivation for this attack," said Hubbard. "Right now we think it's directed at the companies which use Monster.com to search the database for resumes. The phishers may be using it to attack specific companies -- generate credit checks for a large number of job seekers, for instance, which cost $100 to $150 a pop -- or to somehow collect e-mail addresses at the company to use in a later spam campaign."

The APWG's report also said that the number of phishing sites climbed by about 2 percent over January, and hit 2,625 for the month. China also came on strong for the month, climbing by 10 percentage points to host 28 percent of all phishing scam sites, second only to the U.S.'s 37 percent. Korea is a distant third at 11 percent.