As criminals operating online have begun to realise the potential commercial value of Internet-related crimes, so they have started to investigate other ways of using malware to line their pockets.
In the not too distant past few people would have known what a phishing scam was. Yet the practice of targeting an online organisation and its customers with the hope of collecting details of accounts that could then be abused has become familiar to many.
In September 2003, only 279 of the tens of millions of emails scanned by MessageLabs every day were phishing-related. By September 2004 this number had risen to over two million, and during the whole of 2004 over 18 million emails were intercepted. There is a simple explanation for the rise in phishing – it works.
During the short time phishing has been on the scene the perpetrators have developed and honed their techniques effectively. Recent phishing emails have reduced the need for human error by capturing online details automatically, for example. There is also evidence that phishers have tried to dupe unsuspecting users into becoming middlemen for money laundering operations.
What makes phishing different to many virus and spam operations is that it is in some way customised to the victim. Typically, there is no specific target for a virus outbreak or spam run – those behind it simply want to reach as many people and their machines as possible. Phishing emails may be spammed out to many random recipients, but the target is usually one company and its customers. The email will probably have been designed to look as though it could have come from that organisation, and the company will probably have been selected on account of its brand, and the fact that it has a high number of consumer customers, amongst other factors.
This move to a more tailored approach, signalled by the advent of phishing, is beginning to show itself in other online scams and operations. Last year, in the run up to major sporting events such as the Cheltenham Gold Cup and European Championships online betting sites were threatened with denial of service attacks if they didn’t pay the blackmailers. These gaming companies were selected because of their reliance on ecommerce, and according to periods of peak business. Obviously, in these instances, the primary threat is to revenue and profits, although other impacts include possible damage to the brand and consumption of internal technical resources.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.