Phishers change bait as IM use grows

Scammers are increasingly using IM to launch phishing attacks, according to a report.

Munir Kotadia Special to CNET News

March 31, 2005 6:16 a.m. PT

2 min read

Phishers are ramping up their use of instant-messaging services instead of e-mail to trick people into revealing personal information, according to a new report.

The Anti-Phishing Working Group found that, for the third month in a row, the number of attacks that do not use e-mail has steadily grown. The nonprofit organization, which monitors phishing trends, published the findings for February in its report last week.

"Phishers are using alternative methods to 'phish' for end-user information," the authors wrote. "Previous phishing attacks were based around luring a user to perform an action through social engineering, primarily through spoofed e-mail and Web sites. The use of IM to spoof companies and phish for information is becoming more frequent."

Phishing scams attempt to lure victims into parting with confidential information. Scammers typically send an e-mail, purporting to be from a bank or e-commerce vendor, that links to Web sites that mimic those companies' sites, but are actually hosted by scammers.

Yahoo last week confirmed that users of its Messenger software were being targeted by this type of attack. According to the search giant, attackers are sending members a message containing a link to a fake Web site. The fake site, which looks like an official Yahoo site, asks the user to log in by entering their Yahoo ID and password. The scam was more realistic because the incoming message appeared to originate from someone on the victim's contact list.

In its report, the APWG also highlighted two other techniques that could allow an attacker to steal personal information without requiring the potential victim to respond to a phishing e-mail.

"Phishing without a lure is now becoming more prevalent among attack styles. The most common is malicious code which either modifies your host's file to point commonly accessed sites to the fraudulent site," the report said. "DNS cache poisoning is also an alternative means that can be used to resolve information to non-legitimate Web sites."

Some security companies have dubbed DNS cache poisoning "pharming" and have been warning customers against it.

The rate at which identity theft e-mails hit consumers is beginning to slow, the study also suggests. People reported 13,141 new phishing e-mails to the organization in February, an increase of just 2 percent, compared with January results. The number of phishing Web sites supporting these attacks only rose by 1.8 percent--from 2,578 to 2,625--over the same period, the APWG said.

The report found that the monthly growth rate of phishing attacks since July 2004 is 26 percent. However, since the group's results depend on the number of people that report phishing scams to its Web site, the increase in reported scams could simply be a result of growing awareness of the APWG and its actions. It's not clear why there was such a small rise in reported phishing scams between January and February 2005.

Munir Kotadia of ZDNet Australia reported from Sydney. Dan Ilett of ZDNet UK reported from London.