Phishing Attacks Continue to Grow in Sophistication

The Year in PhishingPhishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2006:

  • Plug and Play Phishing Networks: The number of phishing sites and attacks rose dramatically in the second half of 2006 as phishers perfected techniques to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known as Rockphish and R11, featured dozens of sites spoofing major banks, which could be unzipped in a subdirectory of a hacked site to create an instant phishing network. By using a common directory structure and subdomains, phishers created URLs that included the name of the target institution.

  • Phlashing (Flash-based phishing sites): Attackers have begun using Flash animation to create spoof sites as a strategy to defeat automated anti-phishing services, which scan the text of a page in search of suspect phrases (brands of financial institutions, for example) that may identify it as a phishing scam. Phishers previously shifted from HTML to Javascript to make it harder to analyze a page's source code, and the use of Flash represents the next step in this evolution. Flash attacks were first seen in June, and were becoming more common by the close of 2006.
  • Two-factor Authentication: A July attack on Citibank demonstrated a technique that was able to defeat two-factor authentication tactics using a man-in-the-middle attack. Two-factor authentication, which uses physical security devices to generate a single-use password, is being touted by banks and financial regulators as a way to reduce fraud losses from phishing. The second authentication factor used by Citibank is provided by a security token - a physical item possessed by an account holder - which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they stop working shortly after the victim has used them. However, by tricking a victim into entering their login details, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly, allowing the attacker to successfully log in. Continue reading
  • Phishing By The Numbers: 609,000 Blocked Sites in 2006

    The Year in Phishing The Netcraft Toolbar blocked more than 609,000 confirmed phishing URLs in 2006, an enormous jump from just 41,000 in 2005. The volume of attacks grew gradually until the final quarter of the year, when the number of blocked sites soared as attackers perfected techniques to automate and propagate networks of spoof pages. These networks were replicated across botnets, creating a huge jump in submissions and confirmed phishing sites. Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December.

    phishingnumbers2007.png

    The dramatic surge in attacks was fueled by new tools to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known broadly as Rockphish or R11, each included dozens of sites spoofing major banks, and could be unzipped in a subdirectory of a hacked site to create an instant phishing network. By using a common directory structure and sophisticated DNS management, phishers created dozens of spoof sites with subdomains including the name of the target institution. These networks were installed on large numbers of compromised machines in botnets, organized with management tools that allowed attackers to rapidly add and redirect sites within their networks.

    Continue reading

    January 2007 Web Server Survey

    In the January 2007 survey we received responses from 106,875,138 sites, an increase of 1.63 million from last month's survey. Leading the growth is Microsoft, which adds more than 650K hostnames on its Windows Live Spaces blog service, while Go Daddy (+165K) and Google (+105K) also had growth of more than 100,000 sites this month.

    Windows improve its share of the market for web server software, gaining 0.1 percent while Apache slips by 0.5 percent this month. Windows added 620K hostnames, while Apache had growth of 492K sites. Microsoft's gains were more pronounced in active sites (hostnames that contain content and likely to represent developed web sites), where its share is 0.88 percent higher and now approaching 35 percent, compared to 59 percent for Apache.

    Total Sites Across All Domains August 1995 - January 2007

    Total Sites Across All Domains, August 1995 - January 2007

    Graph of market share for top servers across all domains, August 1995 - January 2007

    Top Developers
    DeveloperDecember 2006PercentJanuary 2007PercentChange
    Apache6381960760.646431208360.17-0.47
    Microsoft3227797630.673289842130.780.11
    Sun17638471.6817490261.64-0.04
    Zeus6356730.605517670.52-0.08

    Continue reading