Although phishing is a con trick as old as the web, attackers are maintaining astonishing success by pulling the strings of victims' emotions.
Fraudsters who can persuade victims to respond to a legitimate-looking email or click on a seemingly benevolent link have already won without even having to launch a sophisticated attack on users. This week, security firm RSA released phishing attack numbers for the first half of the year that show a 19 percent increase in global incidents over the last half of 2011.
Through the end of June, the monthly average for attacks was 32,581, amounting to more than $687 million in worldwide losses.
In a blog post, RSA researchers said phishing remained one of the top threats on the internet because of the persuasive tactics that attackers employ.
“At the core of this seemingly simple threat lies a powerful force – human emotion,” the post said. “Although phishing is a 21st century crime, manipulation, deceit and persuasion are not.”
While the top five countries attacked monthly were the suspected players – the United States, U.K., Canada, Brazil and South Africa – what stood out was the 400 percent increase in phishing attacks in Canada during the first half of this year.
While RSA ascribed the sharp increase to attackers finding the Canadian market more lucrative – the country's exchange rate gap is slowly closing in on the U.S. dollar – Daniel Cohen, head of business development for online threats managed services at RSA, explored other factors.
“I think the issue with Canada is that it generally has been less cyber threat aware, both at the consumer level, as well as at the business level,” he said Thursday in an email to SCMagazine.com. “With the global increase in phishing attacks, Canada became both a target, as well as a host for phishing attacks.”
Canada also hasn't been as proactive as the United States in making cyber crime-related arrests, Cohen said.
As well, the prevalence of social media-related phishing scams is picking up, Dave Jevans, founder and chief technology officer of internet security firm IronKey and chairman of the Anti-Phishing Working Group, told SCMagazine.com on Thursday.
“Credit card or bank information is important,” Jevans said of scammers, “but getting their Facebook or Gmail information is the key to the kingdom.”
If an email account is hosted by Gmail, and someone can phish those credentials, they can probably reset passwords for other accounts, he said, comparing tech reporter Matt Honan's recent hacking incident as emblematic of what's been happening to victims of phishing in recent years.
Roel Schouwenberg, senior researcher at Kaspersky Lab, told SCMagazine.com that social media-related attacks lead to the occurrence of more financially threatening ones.
“There is the issue of people using the same login credentials for many different sites," he said. "We definitely see that when hackers get the credentials from a [social] networking site, they will often try to hit all types of financial sites as well."
The Anti-Phishing Working Group recently lowered the industry's attack-duration median – the number of hours a phishing attack is online before it is taken down – to 11.72 hours per incident, down from 15.3 hours. The decline shows that organizations have become better at detecting and stopping brand abuse.
Had that median rate not fallen, worldwide phishing losses for the last half of 2011 could have reached nearly $900 million, according to RSA.
Joseph Steinberg, CEO of Green Armor Solutions, which helps enterprise customers identify phony websites, said that until the security industry begins looking into the psychological aspect of phishing, attackers will continue to take advantage of the simple, yet effective practice.
“We have argued for years that the reason that phishing is a problem is because it is a psychological problem,” Steinberg told SCMagazine.com on Thursday. “You need something that the average person with no technological sophistication can identify, which alerts them that something has gone wrong."
According to an analysis performed by Kaspersky Lab, some phishing tactics may include embedding malicious scripts on pages found on legitimate websites, like Amazon or Wikipedia, as a way of hawking spammers' goods.
Users can protect themselves from email threats by contacting companies directly if they doubt the authenticity of an email or website, Kaspersky Lab advised.
