Report: Phish Jump

As if you didn't already know that phishing is growing, the Anti-Phishing Working Group's latest numbers hammer it home even harder, showing a 50 percent increase in phishing sites from September to October.

The APWG's latest report shows 37,444 unique phishing sites were detected in October, versus 24,565 in September. The APWG attributed much of this jump to phishing campaigns using URLs with multiple subdomains in an attempt to evade spam filters and antiphishing filters in browsers, which use blacklists of known phishing sites.

"A lot of this is due to the tactics they are using to thwart some of the toolbars out there," says Dan Hubbard, research fellow with the APWG and vice president of security research for Websense, who adds that the majority of phishing attacks are originating from one large group, known as the Rockphish Group. "They come out with unique URLs -- a URL for every single person who clicks on, and that makes the numbers fairly large."

Hubbard says phishers are getting more sophisticated and organized, sharing data on where to host, and where to register their sites.

The jump in the number of phishing sites shocked some researchers. "Either the APWG has gotten phenomenally better at detecting phishing sites before they're taken down, or the phishing groups have gotten much more efficient at compromising Websites," says Tod Beardsley, lead counter-fraud engineer at TippingPoint.

PhishTank recently released its November phishing numbers with some 18,130 suspected phishing scams. And a new McAfee European cybercrime trends report says 17,000 incidents of phishing are reported each month, and 90 percent of people don't know a well-formed phish when they see one.

Another significant increase cited in the APWG report was in the number of brands attacked -- October saw 176 attacks, up 14 percent from the previous high of 154 in July. "This steady growth has been going on for awhile," says Hubbard. "Some of the techniques have gotten better, so it's easier to do this and go after massive amounts of brands," he says. "They often use the same servers to host multiple banks' [phishing sites]."

Hubbard says phishers are using automated processes to infect Web servers, some of which are infected multiple times, he says. "They find vulnerabilities in commonly known hosting facilities like blogs and personal pages, and write automated scripts to create accounts and to upload their malcode."

TippingPoint's Beardsley says the jump in phishing sites shows how blacklisting alone just doesn't cut it anymore. "Anti-phishing blacklists, which now ship by default with Internet Explorer 7 and Firefox 2.0, simply don't update fast enough to catch 'known' phishing sites in time to stem the victim stream," he says. "So while the browser folks should absolutely keep up on their blacklists, I don't think it's realistic for anyone to rely on them entirely as a protection mechanism, and these numbers prove that out."

Beardsley says users should always be on guard and aware of the potential for fake email, and Website operators should do a better job at locking down their Web apps so they don't become "hosting platforms for phishing groups."

— Kelly Jackson Higgins, Senior Editor, Dark Reading