Spear phishing attacks on rise

Financial sector is top target for phishers.

Phishing reports were down, but that may be because cyber scammers had bigger fish to fry.

That’s one of the findings in a report released this week by the Anti-Phishing Working Group.

After reaching an all time high of 40,621 reports in August of last year, phishing reports to the organization fell a precipitous 29 percent, to 28,897, in December, the organization revealed in its Phishing Activity Trends Report for the fourth quarter of 2009.

Although raw phishing numbers declined, the organization reported a “substantial increase” in phishing focused on high-value targets, such as personnel with treasury authority.

“Spear-phishing and whale-phishing, where targeted individuals inside of corporations, or of high net worth, appears to be increasing,” APWG Chairman Dave Jevans said in the report.

“Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources,” he continued.

“These attacks do not contribute significantly to the overall number of unique phishing emails that are sent, as they are not using broad-based spam,” he added. “Rather, the attackers customize their email messages to target individual users.”

Such a targeted attack made headlines recently when it was used to break into Google’s computers.

The number of unique phishing sites identified by the group remained steady during the period. From October to December, unique site figures fluctuated by less than one percent, from 46,522 to 46,190 sites, and the end of year figure was 18 percent below the all time peak hit in August of 56,362 sites.

Attacks on brands hit a new high during the quarter, according to the report. After hitting that peak of 356 in October, though, assaults petered out to 249 by the end of the year.

“The pattern of attacks per brand is particularly noteworthy,” observed Ihab Shraim, chief security officer and vice president for network and system engineering at MarkMonitor and a contributing analyst  for the report. “While the number of targeted brands declined in each month of the fourth quarter, the total number of brands targeted in phishing attacks actually increased from
the previous quarter.”

After falling from the catbird’s seat during the first two quarters of the year, the financial services sector regained its dubious distinction as the number one industry targeted by phishers in quarters three and four. In final frame of the annum, 39 percent of phishing attacks were directed at the financial sector, followed by payment services (33 percent), auction sites (13 percent), other (13 percent) and retail (two percent).

In this edition of the group’s report, a new metric has been added: crimeware. Crimeware is malware specifically designed to attack the customers of financial institutions. During the quarter, crimeware’s slice of the malware pie remained consistent at two percent. However, the pie share held by bad apps designed to steal data fluctuated, starting at 31 percent in October, climbing to 34 percent in November and returning to 31 percent at the end of the year.

Patrik Runald, a senior security research manager with Websense and a contributing analyst to the report observed that data stealing code continues to be a major problem for White Hats. “This is due to the high success rate that hackers obtain when unleashing attacks with data stealing code,” he maintained. “These types of attacks will most likely continue at this pace, and possibly increase as attack techniques evolve.”

A popular vehicle for infecting computers in recent months has been rogueware–malware masquerading as security and anti-virus programs. A significant increase in the variants of these applications occurred at the end of the year, according to the group’s report. From the third to the fourth quarter of the annum, rogueware variants increased 36 percent, from 158,980 to 252,025. Still, the high of 122,335 for the final frame reached in December was substantially lower than the record crest of 152,197 reached in June 2009.

Despite the large numbers of new variants, the bad apps actually stem from relatively few software families, the report noted. The more than 200,000 variants in the fourth quarter, for example, belong to only four families:

• Adware/Antivirus2008
• Adware/MSAntiSpyware2009
• Adware/TotalSecurity2009
• Adware/SystemGuard2009

The report also noted that the United States was the top country for phishing sites in the world. In October and November, more than 90 percent of all the nefarious sites were located in the United States; more than 70 percent in December.