Yesterday should have been a day for headlines about progress in the battle against phishing scams. Instead, the news was dominated by a new threat that drove home the need for vigilance on the anti-phishing frontier.
Seeking swifter action against fast-moving phishing scams, some of the Internet's best-known service providers announced plans to share phishing attack data with one another and law enforcement agencies through Digital Phishnet. But even as this anti-phishing dream tream was being unveiled, security researchers revealed a security hole that makes it easier for phishing operations to inject content into legitimate web sites.
Secunia documented a cross-browser security flaw that is likely to be rapidly adopted by phishing operations. The technique uses a specially-crafted link to a legitimate website, which then enables the scammer to place content into pop-up windows opened during the session - including data collection forms that spoof the design of the legitimate site.
Since working code was visible in the HTML source of Secunia's demonstration, it won't be long before phishing operations test the attack. Phishing scams have shown the ability to adapt new exploits within days of their publication, and have recently begun using templates, toolkits and automation to expand their repertoire of attacks and servers.
Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. The ability to work quickly is central to the success of phishing enterprises, which make their money in a short window of time that begins when their emails arrive in inboxes and ends when their server or domain name is shut down by providers.
Digital Phishnet is designed to accelerate the industry response to phishing, with founding members including Microsoft, America Online, Earthlink, VeriSign, Network Solutions, Lycos and Digital River, who will join forces with the FBI, Secret Service, Postal Inspection Service and Federal Trade Commission. The aim is to create "a single, unified line of communication between industry and law enforcement, so critical data to fight phishing can be compiled and provided to law enforcement in real time," according to a press release announcing the effort.
"The key to stopping phishers and bringing them to justice is to identify and target them quickly," said Dan Larkin, unit chief at the FBI's Internet Crime Complaint Center (IC3). "Phishers create and dismantle these phony sites very, very fast, stockpiling credit card numbers, passcodes and other personal financial information over the course of just a couple of days, in order to avoid detection."
Phishing has surged in recent weeks, according to the Anti-Phishing Working Group (APWG), which documented 6,597 new, unique phishing email messages in October, more than three times the 2,158 seen in August. The scams have become more sophisticated as well, including a cross-site scripting attack in which scammers manipulated a bank's own web page to try and collect sensitive customer data.
"The type of sophistication we've seen in recent phishing scams requires an equally strong and sophisticated response," said Dave Alampi, vice president of marketing for Digital River, a major provider of e-commerce services. "By collaborating with other industry leaders, particularly in the technology world, and incorporating a substantial law enforcement component, we believe we can more effectively raise awareness and reduce this threat for Internet users."
"Hackers who launch phishing attacks are formidable opponents and therefore demand a serious and concerted response from the industry. said Judy Lin, executive vice president for VeriSign. Nancy Anderson, vice president and deputy general counsel for Microsoft, called the new effort "an aggressive and offensive attack against these cybercriminals and one that will make their lives much more difficult."