Phishing fight may be paying off

Though the number of phishing sites has hit a new high, swift action is making it tougher to launch attacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
The number of phishing sites on the Web hit a record high in August, but coordinators in the fight against the prevalent Web scams say they have made some progress.

A total of 5,259 phishing sites were spotted in August, up substantially from 4,564 in July, according to the Anti-Phishing Working Group. At the same time, the number of spam e-mail campaigns to lure people to phishing sites decreased for the second month in a row, from 14,135 to 13,776, the APWG said.

The data indicates success in the fight against phishing, according to the APWG. Criminals have to set up more phishing servers for a smaller number of actual phishing campaigns, Peter Cassidy, secretary general of the group, said Friday. "It now takes more resources to mount an attack and to keep the attack under way," he said.

The attacks typically use spam e-mail messages that lure victims to malicious Web sites, where they are duped into disclosing log-ins and usernames for Web sites and other sensitive information such as Social Security numbers. The messages are typically spoofed to look like they come from a bank or other trusted company.

Phishing opponents have increasingly been able to take down such sites quicker. The number of days a phishing site is online dropped to an average of 5.5 days, down from 5.9 days in July, the APWG said. The swifter action is thanks to experience, Cassidy said. "It is much less of a fire drill and more of a routine," he said.

But criminals are not giving up the fight. Phishing scams are becoming more sophisticated. Sites are now being hosted on multiple servers, and redirect schemes let the scammers change sites at will, Cassidy said.

"It will be a back-and-forth of techniques," he said. "Over time, once conventional phishing has been brought under control, they will be pressed into using more sophisticated and automated attack techniques. It is sort of a matter of be careful what you wish for."

An example of more advanced attacks includes the use of malicious software that is installed surreptitiously on computers. This software captures keystrokes or screenshots and sends those to the attacker. In August, 958 phishing Web sites were hosting malicious code, up from 948 in July and 526 in June, according to the APWG.

The United States still leads the world as the host to more phishing sites than any other country, according to the APWG. Financial services companies are the most common phishing target, with 84.5 percent of the scams targeting banks, credit unions or companies in that same industry.