Phishers are targeting smaller businesses because larger enterprises are becoming increasingly difficult to catch, a Web security firm says.
E-criminals took to attacking ever-smaller targets in the first half of the year, a Web security firm said Wednesday, as they simultaneously used more sophisticated tools, such as "screen scrapers" designed to steal passwords entered with the mouse in build-for-security graphical interfaces.
By San Diego, Calif.-based Websense's take in its semi-annual "Security Trends Report," phishers have turned to small financial organizations, regional banks and credit unions in particular, as opportunities elsewhere have shrunk.
The change came, said Websense, in part because of the defensive countermeasures by large financial institutions, and a higher sense of caution on the part of their customers. With those targets increasingly resistant to attack, some phishers found smaller firms profitable victims. This so-called "puddle phishing" has hit institutions with as few as 11 branch banks or credit unions, said Websense, and has been used against single targets such as Hilton Hotel's premier members club and World of Warcraft online game players.
For the most part, phishers casting into these small ponds used the same techniques -- spammed e-mails and spoofed Web sites -- as those aiming at large banks. In fact, said the Websense report "the attack style and dynamics are very similar on many of these recent puddle phishing attempts, which may mean that there is some tool sharing or a small number of attackers behind this."
But in phishing worldwide, the trend is showing a substantial growth in attack tools, said Websense, which tracked a doubling in both the number of password-stealing Trojans and the number of malicious sites spreading those Trojans, in just two months. From April to June, the number of password-stealing Web sites jumped 202 percent, for instance.
Those Trojans are also planting more sophisticated password-stealing code, said Websense, including new "screen scrapers" that record mouse movements rather than keystrokes. Some banks and financial institutions have turned to graphical devices, including on-screen numeric keypads that customers use to enter their online banking passwords, in an attempt to stymie keyloggers. The screen scrapers capture mouse movements, including clicks, and then play back the clicks to the hacker so he or she can figure out the PIN or password.
Other security insights in Websense's report, but disclosed earlier this year as they occurred, included cyber-extortion. In May, for example, the company uncovered a scheme where a malicious site infected users' PCs, then encrypted files on the hard drive. For $200 -- the extortion part -- the attacker would provide a tool to decrypt the files.
This tactic, also called "ransom-ware" has also been used by criminals to shill anti-spyware software that "detect" bogus threats on a user's computer.
As is often the case with such reports -- which, after all, are produced by security companies that have a vested interest in sounding alarms -- Websense's report concluded that the problem will get worse before it gets better.
"We believe that that number and type of attacks will continue to increase and evolve in the second half of 2005, resulting in more monetary gain for the attackers and damage to the victims."
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.