Study: Phishing surges 240 per cent

gallery

The number of phishing emails detected shot up in November, according to the analysis of one hosted web security provider.

Of the 103 million messages Websense processes a day, three in every 50 were from phishing sites, which amounted to a month-on-month increase of 240 per cent, or 83 per cent of all email.

It also noted that 90.5 per cent of spam included an embedded uniform resource locator (URL), a higher percentage than ever seen previously, supporting security experts that say phishing techniques have become more sophisticated to capitalise on the credit crunch.

The vendor’s trends analysis found one key gang was again behind the phising surge, designed to get unwary users to reveal sensitive user account credentials, as most exploits use kits originally created to lure people to fake sites that included a distinctive subdirectory named ‘rock’. But the group abandoned the technique when phishing filters began looking for the word.

“Rock phishers have once again indicated their interest in obtaining user account credentials, using mass phishing campaigns targeting banks (with recent attacks reported on Suntrust, Lloyds, and Bank of America),” it said.

And it pointed to recent SANS Internet Security Centre research that found a well-formatted phishing email could achieve a 10-per-cent clickthrough rate, whereas a targeted one could score upwards of 80 per cent.

The monthly analysis also found phishing authors are continuing to push several sophisticated crimeware packages, including so-called ‘blended threats’ using fake image and URL links that can get silently installed on the victim's PC.

And another emerging phishing trend were “phishes that bite back,” even if a frustrated user returns a fake website form in with junk information. In August, SecureWorks researcher, Joe Stewart posted details of how an incomplete form returned to Asprox botnet host would subject the user’s browser to a number of additional exploits.

Websense said these kinds of attacks could only be identified and countered using professional security expertise and warned those organisations relying on purely in-house IT security that operating costs would “skyrocket” in attempts to keep up with the likes of the Rock phishers.

At the very least, “without a strong messaging security solution, customers will experience bandwidth and storage capacity issues, frustration and a drain in productivity, not to mention exposure to significant security risk,” said the report.

Email to a friend

Print this page