Application security

URLs with ‘crimeware’ spreading, but war on phishing gains ground


The number of phishing URLs used to spread "crimeware" among consumer PCs rose to an all-time high in May, according to a report from an industry association that works to eliminate identity theft and fraud caused by phishing and email spoofing.

The Anti-Phishing Working Group's (APWG) report said the 3,353 compromised URLs discovered in May represented a 7.4 percent increase in the number of unique phishing URLs containing what it calls crimeware over the previous high in February. Cybercriminals use the information collected by crimeware such as keyloggers, which steal personal identifying information from compromised PCs, to gain access to the users' online email and financial accounts and to ultimately steal money.

Although only slightly higher than the previous high, May's increase in malicious URLs was nearly 95 percent more than in April. This fluctuation "is due to the on-again-off-again trend of the phishers using multiple URLs on the same domain," said Laura Mather, Ph.D., a senior scientist with MarkMonitor and the chair of anti-phishing group's domain name systems subcommittee. In April, she reported, 80 percent of all phishing URLs were on domains that hosted multiple phishing sites.

Despite the increase in number of malicious URLs, members of the APWG still believe consumers have won victories in the fight against phishing.

"The number of conventional spam-based phishing attacks is again relatively flat, remaining at about the mean we've experienced for a year now," said Peter Cassidy, the APWG's secretary general.

"That's good news because that window is slowly closing" according to APWG statistics, he said. "A couple of years ago the average uptime for a counterfeit phishing website was 6.5 days; now it's 3.8. This tells us these guys have to work harder on conventional phishing attacks."

It has also forced the phishers to develop new techniques, such as running multiple URLs on a single web domain, for delivering their attacks, said Mather. That, too, "is a small victory for people who are fighting phishing," she said. "Every time they change strategy, it shows we've done something that hurts their business."

The growth in the number of malicious URLs is due to several factors, according to Dan Hubbard, vice president of security research at Websense, which, along with MarkMonitor, provided the APWG with much of the data for the report. These include the growing sophistication of the phishers, their increased use of automated tools for collecting and distributing users' personal information, and their use of code written to exploit Microsoft's animated cursor ANI vulnerability.

The automated tools phishers have developed, as noted, "allow them to host multiple [spoofed financial insitutions] on one site," explained Hubbard. "In the past, when they compromised one server, they could host only one institution; now, they can use one compromised server for multiple institutions at once."

The downside of the anti-phishing battle? "It may be that the success of anti-phishing efforts is what has pushed [phishers] into developing and distributing crimeware," Cassidy said. "The web is increasingly being co-opted as a vector for infecting consumers' PCs because it's now possible to broaden [phishing's] impact through automation."


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.