Phishers turn to blended attacks to catch more surfers

Organized criminal gangs are targeting online consumers with ever more sophisticated blended phishing attacks - some of which even find out details of their interests and use them to generate tailored phishing emails - security experts have warned.

According to the Anti-Phishing Working Group, phishing is on the increase again, as the number of newly reported phishing campaigns reached 15,820 in October, an increase of 127 percent over October 2004.

Online consumers present a "very juicy target" for cyber criminals using phishing and pharming to steal their identities and cash, so they need to be more careful than ever when they shop online this Christmas, added Paul Henry, senior vice president of CyberGuard.

Henry pointed out that in our day-to-day lives, both at home and at work, we are spending a great deal more of our time on our computers and on the internet. This familiarity with technology can regrettably make people more susceptible, or worse yet, more gullible, he believes.

"Today consumers seem to trust technology more then they do individuals. This level of blind trust in technology, combined perhaps with our less cautious nature around the holidays, can provide a target-rich environment for cyber criminals," Henry said.

Last holiday season, most phishing scams involved simply enticing consumers to "click here" on an embedded link within an email directing the recipient to an illegitimate "copy cat" website that looked identical to the real thing. Many internet users were unknowingly divulging their most personal financial information: PINs, Credit Card Numbers, Social Security Numbers, usernames and passwords to cyber criminals.

However, as awareness has grown about phishing within the internet community, the tactics used by phishers have evolved since the last holiday season. Refined phishing tactics recorded by CyberGuard include a rise in the use of automated URL obfuscation tools. With a freely downloadable tool from the internet, the phisher simply enters the URL of the legitimate website and then enters the address of the fake malicious website, with the tool automatically crafting a new "socially engineered" URL that includes the text from the legitimate URL.

The use of embedded Java script and Active X applets is becoming more common in phishing emails, Henry warned. These scripts and applets can automatically place a graphic image of the expected legitimate URL on top of the address bar within the browser to hide the actual address that the browser is really being directed to.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.