Phishing: You Ain't Seen Nothing Yet - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:32 PM

Phishing: You Ain't Seen Nothing Yet

This year's rampage of phishing scams is "just the tip of the iceberg," according to a message security firm's analysis of 2004 and its predictions for 2005.

This year's rampage of phishing scams is "just the tip of the iceberg," according to a message security firm's analysis of 2004 and its predictions for 2005, both released Monday.

The boom in phishing attacks -- spam that masquerades as messages from legitimate companies that tries to dupe users into divulging confidential information, such as bank or credit card account numbers -- has been phenomenal. MessageLabs tracked a mere 279 phishing e-mails in September 2003, but a year later, monitored over two million in the same month. During November 2004, MessageLabs tallied a whopping 4.52 million phishing-related messages.

And if you think that's bad, wait until next year, said Natasha Staley, an information security analyst with U.K.-based MessageLabs. "Phishing is really only 12 to 18 months old. It's not even in its prime."

Phishers, who are believed to be composed primarily of organized criminal gangs, many of them based in central and eastern Europe, including the republics of the former Soviet Union, are quickly refining their techniques, added Staley, to make their bogus messages even more enticing or effective.

"In anything with returns like these, it pays to be even more successful," she said. "And that means that phishing will only continue, and grow in sophistication."

Among the evidence that phishers are stepping up their tactics and applying even more effective technologies, she said, are 2004 scams that didn't require user intervention. Users who only opened a malicious e-mail had their systems modified so that the next time they surfed to their bank's online site, the browser was redirected to a fake address where their login information was captured and invisibly sent to the attacker. The hacker could then empty the account at will.

According to MessageLabs' statistics, the number of phishing attacks really didn't take off until July 2004, when the number of scam-style messages nearly jumped ten-fold from the previous month.

Next year will also see a leap in the number of scams targeted at specific organizations and companies, Staley said. "Blackmail and extortion will be even more popular next year," she predicted. Already, MessageLabs has proof of blackmail-like schemes where criminals have threatened to send out child pornography under the name of a particular firm, or have promised -- and delivered -- denial-of-service attacks on online gambling sites if victims don't pay "protection" fees.

MessageLabs sees the changes as evidence of a shift from the shotgun approaches of traditional phishing to customized attacks created to leverage actual or perceived weaknesses of businesses.

"We'll see more of that in 2005," said Staley. "The reason? There's potentially even higher returns if they go after specific companies rather than mail millions of messages to consumers."

Virus-laden messages also increased in 2004, MessageLabs reported, to the point where the year's average was one infected message in every 16, a doubling of 2003's ratio of 1 in 33. In 2002, only 1 in every 212 messages contained malicious code.

Spam, on the other hand, looks like it may have peaked as a percentage of all messages. But not for the right reasons. "Frankly, there's not much farther spam could go," said Staley, who noted that in July, 94.5 percent of all mail that MessageLabs processed was tagged as spam. Spam accounted for "only" 73.8 percent of all mail in November, but that was still higher than the 63 percent of the year's beginning.

"Spam will stay at around 60 to 80 percent of mail in 2005," Staley predicted.

"But while the volume of straight spam will continue to outnumber phishing, it's the latter that has the most potential for racking up losses," said Staley.

"It's the most sinister threat out there."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll