Phishers Take Cues From HackersPhishers Take Cues From Hackers

Phishing scams again surged last month, an industry organization said Wednesday, as tech-savvy crooks increasingly took up the tools of the hacker trade to steal consumers' personal and financial identities.

According to the monthly report from the Anti-Phishing Working Group (AWPG), a consortium of more than 1,000 firms, including a majority of the top U.S. banks and ISPs, November saw yet another increase in the number of phishing Web sites spotted.

During November, the group detected 1,518 scam sites, a 29 percent increase over October, and another record for the year.

Worse news than the boost in scamming sites -- which are often "hit-and-run" Web sites that stay up only an average of 6 days -- is the AWPG's analysis of an increase in the use of malicious code by phishers to steal credit card and bank account access and information from users worldwide.

While most phishers still rely on the traditional social engineering tricks to deceive users into divulging information -- sending massive numbers of messages claiming that accounts at banks, credit card companies, e-tailers, and electronic payment providers must be updated -- more are turning to other, scarier, means, said Dan Hubbard, senior director of security at Websense, who analyzed the phishing data.

"They're definitely starting to cross the boundaries of spyware, phishing, and general virus writing," he said. "Some phishers are using portable executable files that actually run on the user's machine rather than just put a link in an e-mail. They're using viruses on your machine, which get there a number of different ways, that are fairly sophisticated. They don't do anything until you go to a known banking or credit card or retailing site that's listed in the virus, and then they either replace the site with their own [fake] version or capture keystrokes and transmit them to the criminals."

Keyloggers are often in place on PCs that have been compromised earlier by malicious computer worms and viruses. In some cases, the phishers are only using what's already available.

This trend, said Hubbard, builds on the one outlined last month by the AWPG, which then noted that many of the most virulent phishing attacks seemed to be coming from "bot networks," collections of previously-infected computers.

"We've already seen indications that phishers are commanding automated distribution systems, apparently leveraging bot nets, known as zombies," said David Jevans, the chairman of the AWPG, in a statement accompanying the November report. "Those resources, combined with conventional keylogging and other innovative malicious code, is a threat scenario that could deliver more sophisticated attacks," Jevans added.

Another trend in phishing that portends black skies ahead, said Hubbard, is an expansion of the number of targeted brands, and the proliferation of phishing attacks directed at customers of ever-smaller institutions and retailers.

During November, 51 different brands fell victim to phishing scams, an increase of 7 from October and like the number of phishing sites, another record for 2004. In the last year, a total of 122 different brands have been hijacked by phishers.

"We used to see only about 20 brands over and over again," said Hubbard. "But now we're not just seeing the large, large banks or e-commerce sites [as targets], but small regional banks in the Midwest, little gift card e-shops, and the like.

"This is evolving like nothing else that we've seen in the security business," said Hubbard. "It's grown so quickly, gotten so much more sophisticated so quickly that it quantifies that people are making money on this."