informa
/
Risk
Commentary

Phishing Gets Automated And We're All Getting Targeted

Phishing expeditions business and personal data are rising to record levels, with fake anti-malware campaigns alone increasing by 225% in the last six months of 2008. Password-stealing Web sites jumped 827% IN 2008. The reason? The phishers are investing in automation.
Phishing expeditions business and personal data are rising to record levels, with fake anti-malware campaigns alone increasing by 225% in the last six months of 2008. Password-stealing Web sites jumped 827% IN 2008. The reason? The phishers are investing in automation.A new report from the Anti-Pjhshing Working Group (APWG) gives a sense of just how aggressive the phishers and malware makers are becoming in search of your business (and personal) data.

Using increasingly automated attacks and re-tooling strategies such as anti-malware come-ons, phishers are bombarding the Web with mail campaigns, continue to co-opt known and trusted brands and are sprouting malware Web sites at stunning rates.

Case in point. According to APWG, malware sites jumped 827%, from 3332 in January 2008 to 31,173 in December, within spitting distance of a 1,000% increase in twelve months.

The largest increase was December, in fact, with the number of sites bearing malware and password-stealing tools skyrocketing from November's 11,834 to 31,173.

While APWG notes that the December pop was a result of "some large attacks that were using huge amounts of random websites for phishing campaigns that were spoofing classmates websites," the organization undoubtedly also knows that this sort of increase is unlikely to remain an aberration.

The crimeware side's ability to generate, essentially effortlessly, huge and even overwhelming numbers of malicious code URLs isn't going to be a onetime or even a sometime thing: Look for increases in the hundred thousand or large range, and look for it soon.

It's the same with the resurgence of the fake malware campaigns, with the added, and ironic, advantage (for the bad guys) of an increased public awareness of the increasing malware problem. The more people know there's a problem (too often without, alas, an increased understanding of how properly to defend against it)the likelier a certain percentage of the population is to take the phishers' bait.

And a certain percentage of that percentage may be working for you. In addition to tightening and re-tightening your own defenses and filters, it's time (it's always time) to remind your staff, with special attention to non-tech, mobile, remote and telecommuting staff to

Delete unsolicited e-mail unopened

Never click a link in an unsolicited or unfamiliar e-mail

Steer clear of branded mail (and the links they contain) from financial institutions and, I'd say, social networks

Ignore and delete all anti-malware come-ons, whether in e-mail or ads

Never give out financial data, personal (or business!) information or passwords in response to an e-mail request or a Website form

I know, I know: This is such basic advice that you'd think it wouldn't have to be given again and again (and, no doubt, yet again and probably within the next few weeks).

But the phishers and the malware makers know that no matter how many times the advice is given, there's that percentage that won't pay attention, that percentage pried to have the hook set in their information, or their company's.

The only difference is that the bad guys are going after that percentage at a faster rate and in larger numbers.

The complete APWG Phishing Activity Trends Report 2nd Half 2008 is here.

Recommended Reading: