July 24, 2012

Phishing phrenzy

Is your smartphone spying on you?

The Anti-Phishing Working Group (APWG) has recently made available its “Phishing Activity Trends Report” for the first quarter of 2012. It makes interesting reading, at any rate if you're a collector of statistics, and most researchers are to an extent. What does it tell us about the contemporary phishing scene, or at least that part of it that APWG and its members are able to monitor? Well, for the detail, you really need the 11-page report, but here are some highlights.

In February, the number of unique phishing sites recorded by APWG reached an all-time high of 56,859. Well, I don't suppose you thought that criminal activity is decreasing.
On the other hand, the average number of infected PCs (that means compromised by some form of malware, not just – or even primarily – viruses, of course) has declined by three points since 2011. It's still a scary 35.51 percent, though.

You might find the breakdown of that malware by type interesting, though. The average over the three-month period looks like this:

Data-stealing malware and generic trojans associated with remote access to and control of compromised machines through backdoors: 35.67 percent.
Crimeware (malware specifically intended to attack the customers of financial institutions): 1.52 percent.
Other malware (all the other stuff we try to detect): 62.81 percent.

By the way, those aren't necessarily the exact definitions ESET would use, but they're close enough to give the general idea. What they don't give, though, is a feel for the proportion of targeted attacks that business faces. Proofpoint polled roughly 330 attendees at the Microsoft TechEd conference in June, and concluded that 51 percent believed that their organization had definitely been targeted by spear-phishing attacks aimed at its employees. That's a tiny survey population compared to the big numbers in the APWG report. Nevertheless, it's based on the opinions of business users you'd expect to be knowledgeable about IT security within their companies. And that figure probably tells us spear-phishing is long past being something that only big security companies and political activists need to worry about.