Phishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2006:
Two-factor Authentication: A July attack on Citibank demonstrated a technique that was able to defeat two-factor authentication tactics using a man-in-the-middle attack. Two-factor authentication, which uses physical security devices to generate a single-use password, is being touted by banks and financial regulators as a way to reduce fraud losses from phishing. The second authentication factor used by Citibank is provided by a security token - a physical item possessed by an account holder - which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they stop working shortly after the victim has used them. However, by tricking a victim into entering their login details, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly, allowing the attacker to successfully log in.
- Plug and Play Phishing Networks: The number of phishing sites and attacks rose dramatically in the second half of 2006 as phishers perfected techniques to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known as Rockphish and R11, featured dozens of sites spoofing major banks, which could be unzipped in a subdirectory of a hacked site to create an instant phishing network. By using a common directory structure and subdomains, phishers created URLs that included the name of the target institution.
The Netcraft Toolbar blocked more than 609,000 confirmed phishing URLs in 2006, an enormous jump from just 41,000 in 2005. The volume of attacks grew gradually until the final quarter of the year, when the number of blocked sites soared as attackers perfected techniques to automate and propagate networks of spoof pages. These networks were replicated across botnets, creating a huge jump in submissions and confirmed phishing sites. Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December.
The dramatic surge in attacks was fueled by new tools to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known broadly as Rockphish or R11, each included dozens of sites spoofing major banks, and could be unzipped in a subdirectory of a hacked site to create an instant phishing network. By using a common directory structure and sophisticated DNS management, phishers created dozens of spoof sites with subdomains including the name of the target institution. These networks were installed on large numbers of compromised machines in botnets, organized with management tools that allowed attackers to rapidly add and redirect sites within their networks.
In the January 2007 survey we received responses from
106,875,138 sites, an increase of 1.63 million from last month's survey. Leading the growth is Microsoft, which adds more than 650K hostnames on its Windows Live Spaces blog service, while Go Daddy (+165K) and Google (+105K) also had growth of more than 100,000 sites this month.
Windows improve its share of the market for web server software, gaining 0.1 percent while Apache slips by 0.5 percent this month. Windows added 620K hostnames, while Apache had growth of 492K sites. Microsoft's gains were more pronounced in active sites (hostnames that contain content and likely to represent developed web sites), where its share is 0.88 percent higher and now approaching 35 percent, compared to 59 percent for Apache.
Total Sites Across All Domains August 1995 - January 2007
|Developer||December 2006||Percent||January 2007||Percent||Change|