You Better Watch Out: Phishing Attacks on the RiseHoliday Breaks Put Smaller Institutions, Customers at Risk from Savvy Thieves 'Tis the season - for an upsurge in phishing attacks.
Researchers at information security company Cyveillance saw more than a 300 percent jump in attacks on Thanksgiving Day. The Virginia-based company monitors 500 companies and brand names daily. On average, the company sees about 300 phishing attacks per day. On Thanksgiving that number jumped to 900.
This one-day spike is a tactic used by criminals, who like to strike on holiday weekends, often targeting smaller businesses and credit unions, which may not have around-the-clock security teams to respond to threats that occur during these periods.
Another security company, Message Labs, says following Thanksgiving that it saw holiday-themed spam coming across its infrastructure at a rate of about 300,000 pieces per hour.
Small businesses, including credit unions, are frequently at risk for phishing attacks and other brand-related online threats. These companies must take a proactive stance in protecting their brand online. Criminals increasingly target small businesses that do not have 24/7 security personnel, allowing phishers to successfully evade detection and prolong the eventual takedown of their fraudulent Web sites.
"Cyber criminals continuously look for opportunities to distribute phishing attacks, focusing on situations when consumers are most susceptible," says Panos Anastassiadis, CEO of Cyveillance. "As seen by the large spike in online attacks over Thanksgiving, online criminals are counting on the hectic holiday season to increase their odds of successfully defrauding consumers and organizations, specifically targeting the most vulnerable security environments."Targets and Techniques
According to Cyveillance's recent fraud report , phishers continue to heavily focus on the financial services sector, targeting banks and credit unions in nine out of 10 attacks. During the three months ending September 2007, phishing attacks against companies targeted for the first time increased 20 percent, led by newer blended phishing attacks that combine malicious software (malware) with traditional phishing techniques.
Newer blended attacks are combining the social engineering component of phishing with the more difficult to detect (and dangerous) effects of malware. Cyveillance's Todd Bransford describes how these blended attacks occur:
"In newer blended scenarios, members receive a spoofed email that includes some type of request or incentive to visit a particular Web page. If the member clicks the link to this Web page, malware is secretly installed on the member's computer. This allows criminals to take control of the member's computer to steal personal information, send out spam, or both."Anti-Phishing Tips
For these new blended attacks that involve malware, credit unions should take steps similar to their phishing response policies, recommends Bransford.
- Educate members about new attacks and what types of emails they can expect to receive;
- Proactively seek out online threats and ask members to report any suspicious emails.
- Put in place processes, before an attack occurs, that outline how the credit union will respond when attacked. These processes should include attack site take down, member communication and public relations plans.
- Aggressively take down attack sites as quickly as possible to minimize attack effectiveness.
- Cooperate with law enforcement during and after attacks.
While eBay passwords and PayPal accounts are still the "gold standard" for phishers, Bransford explains -- and there are still "huge amounts" of phishing attacks against these brands -- the success of their defenses is still being assessed. "It's difficult to assess whether the stronger authentication measures they are using are impacting the volumes of phishing attacks that target these brands and/or whether these attacks are successful in obtaining the targeted credentials."
Cyveillance researchers continue to see phishers seeking out new targets. "Perhaps they're driven by the goal of finding 'softer' targets who have not implemented anti-phishing measures and whose customers may not be as educated about the threat of phishing," Bransford says.