The Anti-Phishing Working Group on Monday said that in November the identities of 178 financial institutions and government agencies, a new record, were co-opted by phishers in an effort to dupe victims into revealing information. This represents a 2.23% increase from the previous high in April and a 48% increase from October.
At the same time, the number of phishing campaigns overall fell for the second consecutive month, dropping to 28,074 in November from 31,650 in October. The APWG attributes this decline in part to "eCrime gangs' increasing focus on targeted phishing attacks against key corporate personnel to secure credentials for theft against corporate assets."
"The attack surface is becoming increasingly fragmented as phishing groups identify and exploit technical and social-engineering opportunities to organize scams against financial institutions," said APWG secretary general Peter Cassidy in a statement.
The APWG is comprised of law enforcement organizations and industry. Many of the companies involved in the group profit from the sale of security products.
Last week, MessageLabs, a messaging security company unaffiliated with the APWG, issued a similar report. Mark Sunner, the company's chief security analyst, said there had been a rapid rise in the number of targeted phishing attacks. Many of these, he said, were being directed at C-level executives.
In 2005, MessageLabs detected two attacks per week involving targeted Trojans out of 1.5 billion messages. In 2006, it found one such attack per day out of 180 million messages. In May 2007, it saw 10 targeted attacks per day out of 250 million messages. In November, it was seeing 924 targeted attacks every five hours.
Laura Mather, senior scientist at MarkMonitor and managing director of operational policy for APWG, said in a statement that executives at companies are receiving specially targeted e-mail messages that attempt to install malware in order to gain access to corporate systems and bank accounts.
Also in November, China overtook the United States as the top phishing site host. The APWG said that 24.21% of phishing sites detected were hosted in China, compared to 23.85% in the United States.
This trend may further fuel worries about Chinese espionage, which the U.S.-China Economic and Security Review Commission called "the single greatest risk to the security of American technologies" in its November report to Congress. It's worth noting, however, that those behind phishing attacks are not necessarily located in the countries where their phishing servers can be found.