News
As Phishing Evolves, Criminals Switch to Malware
Phishing emails are yielding less success, according to experts
By Robert McMillan
And phishers aren't stopping at malware. They are constantly looking for new areas to hit.
In the past two months Jevans has also seen phishers spoof companies like FedEx and United Parcel Service with attacks that are designed to install malicious software on computers. And, in a worrying development, phishers have also targeted domain name registrars, hoping to steal credentials that could allow them to redirect entire Internet domains to their malicious servers.
Some security experts believe that such a phishing attack may have given criminals access to the CheckFree online payment service's Internet domain earlier this month. In that incident, which came about a month after customers of domain name registrars were hit by phishers, CheckFree customers were redirected to a Web site that tried to install malicious software.
Social-networking sites were also a prime target several months ago, although those attacks have dropped "dramatically," as Web sites responded to the problem, according to John Scarrow, general manager of safety services at Microsoft. "There's really an ebb and flow," to the attacks, he said.
Though the move toward malware has made phishing more complicated for some, there are plenty of newcomers too, according to Don Jackson, director of threat intelligence with SecureWorks. "There's no shortage of education, support, and helping each other in terms of setting up the scams."
Take Mr. Brain. Believed to be a Moroccan hacker, he develops free phishing kits for newbies so they can quickly get into the business. By all accounts, he does a great job, building slick phishing kits for banks that haven't yet been attacked. "He's the premier provider of these free phishing kits," Jackson said. "They're free and they're actually fairly accessible."
While his phishing kits are free, unbeknownst to the amateur criminals who download them, they come with a catch. All of the phishing data logged by these fake Web sites is automatically sent to Mr. Brain too. So the greenhorn phishers end up getting phished themselves.
But that doesn't stop them. The profits are too good, and because phishers can hit victims in faraway countries, many of them operate as if they are outside of the law. And with phishing toolkits and buyers for the stolen credentials easy to find, phishing continues to draw a new generation of criminals.
For them, phishing is easier than ever before, said Sean Brady, senior manager with RSA Security. "If I could call it anything, I'd call it a commodity crime."
Other stories by Robert McMillan
phishing
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
