Although they continue to attack financial institutions, phishers have broadened their targets to include universities and social media sites due to the inherent nature of these users to share personal information, according to a new report by cyber intelligence security provider Cyveillance.
Phishers are attracted to universities for credentials such as names and password information, according to the "1H 2010 Cyber Intelligence Report." Phishers then use this data to create botnets used to facilitate malicious activity such as spamming or denial of service (DoS) attacks. Social media is used to distribute malware for financial gain. Although used differently, both target large groups of individuals who typically are willing to share personal information and trust online links, Cyveillance said.
"In an age where people are encouraged to share everything from what they had for lunch on Twitter to photos of their weekend on Facebook, cyber criminals are taking advantage of the abundance of information at their fingertips in order to create targeted attacks," said Panos Anastassiadis, chief operating officer of Cyveillance. "It is important for employees and organizations to be prepared beyond just implementing traditional security measures; they need to continuously educate individuals in cyber safety best practices in order to proactively protect their companies against attacks."
In the first half of the year, Cyveillance detected 126,644 phishing attacks, for an average of over 21,000 unique attacks per month, with the volume remaining relatively steady throughout the first two quarters, the company said.
Phishing is a social engineering scam that relies on both technology and human interaction to conduct online fraud and identity theft, according to Cyveillance. Although they vary, typically phishing schemes involve spam that mimics an email from a legitimate source that is designed to steal personal information, which then is used for online fraud, identity theft, or unauthorized network access, the company said.
Malware, on the other hand, is a file or application downloaded from a website or server that has properties that are both involuntary and malicious in nature. There are many types of malware programs, such as bots that launch spam and DoS attacks, as well as keyloggers and backdoor Trojan viruses designed to steal sensitive data.
Overall phishing attacks dropped in the second quarter of 2010 year-over-year, according to an August study by Internet Identity. But phishing attacks on social networking sites, e-commerce, gaming, and web services significantly increased, the security technology and services provider said.
"Phishing attacks by Avalanche, one of the most prolific cyber criminal gangs (responsible for two-thirds of the world's phishing attacks in the second half of 2009), have essentially disappeared. However, it has turned to distributing Zeus malware which is capable of hijacking computers, then stealing banking, social networking, and email account logins, and making that information available as part of a criminal network," Internet Identity's study said.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.