Dark Reading

Phishing Websites and crimeware both hit an all-time high in January, according to the Anti-Phishing Working Group's latest report, which was released yesterday. And for the first time, ISPs surpassed retail as the second-most targeted industry sector -- although they are way behind financial services, which accounts for 88.9 percent of phishing attacks.

The APWG logged 29,930 unique phishing reports worldwide in January, an increase of more than 25 percent from December's 23,787. But the number of new phishing sites detected dropped slightly, from 28,531 in December to 27,221 in January, as did the number of highjacked brands, from 146 in late '06 to 135 in January.

It's hard to say whether the changes were the result of the post-holiday hangover, but the APWG's findings were mostly in line with trends reported by other experts.

"You're getting a diversification of strategies by phishers, mostly because of anti-phishing techniques" cramping their style, says Adam O'Donnell, senior research scientist for Cloudmark. "By diversifying, they can distract and bait the [phishing] analysts and get into more fertile phishing grounds."

The Storm worm was a good example of attackers mutating malware, O'Donnell says. The worm generated hundreds of mutations over just one weekend, and had auto-update features built into it. "If you're able to release a virus that gets in the wild and makes an impact before" antivirus engines map it out, the attacker wins, he says. "This is a huge trend in crimeware."

Password-stealing malware went up from 340 unique apps in December to 345 in January, according to the report.

In its investigation of crimeware, APWG found that Brazilian-based malware writers are now using Web Attacker, the wildly popular toolkit from Russia. This development suggests that crime groups are collaborating globally, the report says.

Social networking and gambling sites, meanwhile, saw more highjacking than ever before in January. Cloudmark's O'Donnell says this phenomenon is likely to increase as attackers find ways to monetize information on these sites -- especially sites such as MySpace, which don't have financial data, but may have other data that could be used for spamming or other money-making schemes.

And last but not least, trojan "redirectors" -- which redirect a user's Web traffic to a malicious location by changing host files or other DNS-based information -- are on the rise as well, according to the report. Most of these alter DNS settings or host files to send the user to a fake DNS server, and the user won't likely be able to tell.

Meanwhile, some things never change: Port 80 (HTTP) is still the most popular port for phishing sites, at 97.1 percent. And the U.S. still holds the dubious distinction of being number one in hosting phishing sites, with 24.27 percent, followed by China, at 17.23 percent, and then Korea, at 11 percent. The U.S. also leads the way in hosting phishing-based trojans and downloaders, according to the report, with 47 percent. China is in second place, with 22 percent.

Bottom line? "Phishing is still a serious problem and network providers need to do a better job of shutting down phishing sites on their part of the Internet," says David Ulevitch, CEO of OpenDNS, which operates PhishTank.

— Kelly Jackson Higgins, Senior Editor, Dark Reading