More brands targeted as phishing attacks soar

Big commercial names are used in phishing e-mails designed to trick recipients into giving up account information.

Tom Espiner Special to CNET News
2 min read
Phishing attacks reached a new high at the end of 2005 after growing steadily all year, according to a study published Wednesday.

The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report, published by the Anti-Phishing Working Group, an industry consortium that provides information on phishing trends.

Phishing e-mails pretend to come from legitimate companies, such as banks and e-commerce sites, and are used by criminals to try and trick Web users into revealing personal information and account details.

The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November.

Despite these statistics, businesses should not worry about the effect on general consumer confidence, according to Internet security company Websense.

"One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," said Mark Murtagh, Websense technical director for Europe, the Middle East and Africa. "Although phishing is increasingly in the news, online banking is increasing in popularity."

Top brands continue to be hijacked, with phishers using established names to try to lure people to their sites, Websense said. Most phishing sites spoof global e-commerce and banking institutions.

"eBay is often spoofed, for obvious reasons," Murtagh said. "Google is increasingly being targeted because of its expansion into different business application models. The big banking names are used too--HSBC, Citigroup, Lloyds--all the major brands".

Phishers' use of global brands is understandable, said Murtagh. "There's no point in using local names if the attack is global."

Attacks are becoming increasingly sophisticated, with a quarter of all phishing Web sites hosting keylogging malicious software. Users can become infected just by visiting the sites, Murtagh warned.

"Before, people had to click on a site to download malicious code. If they went to a Web site and thought it looked 'phishy,' they could leave and probably not be harmed. Now with most phishing sites they just have to visit one to become infected.

"Twenty-five percent of those sites now host keylogging code, and if you visit one you will probably open yourself to identity theft or fraud."

Tom Espiner of ZDNet UK reported from London.