Phishers are targeting smaller businesses because larger enterprises are becoming increasingly difficult to catch, a Web security firm says.
E-criminals took to attacking ever-smaller targets in the first half of the year, a Web security firm said Wednesday, as they simultaneously used more sophisticated tools, such as "screen scrapers" designed to steal passwords entered with the mouse in build-for-security graphical interfaces.
By San Diego, Calif.-based Websense's take in its semi-annual "Security Trends Report," phishers have turned to small financial organizations, regional banks and credit unions in particular, as opportunities elsewhere have shrunk.
The change came, said Websense, in part because of the defensive countermeasures by large financial institutions, and a higher sense of caution on the part of their customers. With those targets increasingly resistant to attack, some phishers found smaller firms profitable victims. This so-called "puddle phishing" has hit institutions with as few as 11 branch banks or credit unions, said Websense, and has been used against single targets such as Hilton Hotel's premier members club and World of Warcraft online game players.
For the most part, phishers casting into these small ponds used the same techniques -- spammed e-mails and spoofed Web sites -- as those aiming at large banks. In fact, said the Websense report "the attack style and dynamics are very similar on many of these recent puddle phishing attempts, which may mean that there is some tool sharing or a small number of attackers behind this."
But in phishing worldwide, the trend is showing a substantial growth in attack tools, said Websense, which tracked a doubling in both the number of password-stealing Trojans and the number of malicious sites spreading those Trojans, in just two months. From April to June, the number of password-stealing Web sites jumped 202 percent, for instance.
Those Trojans are also planting more sophisticated password-stealing code, said Websense, including new "screen scrapers" that record mouse movements rather than keystrokes. Some banks and financial institutions have turned to graphical devices, including on-screen numeric keypads that customers use to enter their online banking passwords, in an attempt to stymie keyloggers. The screen scrapers capture mouse movements, including clicks, and then play back the clicks to the hacker so he or she can figure out the PIN or password.
Other security insights in Websense's report, but disclosed earlier this year as they occurred, included cyber-extortion. In May, for example, the company uncovered a scheme where a malicious site infected users' PCs, then encrypted files on the hard drive. For $200 -- the extortion part -- the attacker would provide a tool to decrypt the files.
This tactic, also called "ransom-ware" has also been used by criminals to shill anti-spyware software that "detect" bogus threats on a user's computer.
As is often the case with such reports -- which, after all, are produced by security companies that have a vested interest in sounding alarms -- Websense's report concluded that the problem will get worse before it gets better.
"We believe that that number and type of attacks will continue to increase and evolve in the second half of 2005, resulting in more monetary gain for the attackers and damage to the victims."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.