Email Phishing Attacks Still on the Rise

A report released by Gartner this week found that in spite of industry efforts to combat phishing, the problem grew worse than ever this year.

Analysts surveyed more than 4,000 online adults to draw their conclusions, finding that the number of those who received phishing attack e-mails rose 118 percent in last three years. The average consumer in this population reported receiving about 80 phishing e-mails in the 12 months ending in August 2007, Gartner said.

In addition, the financial losses incurred by these attacks are also growing. The percentage of those who received phishing e-mails and lost money as a result rose by a percentage point, from 2.3 percent in 2006 to 3.3 percent in 2007.

Gartner’s findings are corroborated by a report also released this week from the Anti-Phishing Working Group (APWG), a non-profit organization that tracks phishing activity on the Internet. APWG reported that its latest figures show monthly number of phishing e-mails reported year over year in 2007 spiked by 73 percent . In September 2006 the group received 22,136 reports of phishing e-mails. That number bumped up to 38,514 unique attack e-mails in September 2007.

“The problem is getting worse because the criminals are getting away with it, because the technology (to combat it) is not widely deployed,” said the Gartner report’s author, Avivah Litan. “The report is on the problems; we already have a lot of research on the solutions. But every one is lax. Security is a cost center, it is not a revenue-generating activity and it is something people would rather put off.”

Though it wasn’t within the scope of the paper’s research, Litan reports that the number of targeted spear-phishing attacks against the enterprise also appears to have increased over the last year.

“I’ve heard from several of our corporate clients now that somehow the thieves get into e-mail lists or they concoct them from reading public information,” Litan said. “They’ll send an e-mail looking like they’re from another employee to a group of other employees referring to specific projects they’re working on, like ‘Hi john, regarding this project, go here to get the latest document.'”

When the employees click on the included link within these seemingly trustworthy e-mails, they’ll unknowingly click on an infected link that will upload malware onto their machine.

A spate of such attacks have made the news recently. Two weeks ago eWEEK reported that Oak Ridge National Laboratory that it was hit by just such an attack. Oak Ridge employees were showered with 1,100 spear phishing messages that came in seven different flavors, including fake notices for a scientific conference and a bogus notification of complaint on behalf of the Federal Trade Commission. Approximately 11 staffers fell for the attack, which delivered a payload of keyloggers and other malware designed to gain access to U.S. Department of Energy systems.

Similarly, Salesforce.com customers have been the victims of these very targeted attacks after a Salesforce.com employee fell for a phishing attempt and gave hackers enough access to acquire a customer list.

America Online also suffered from a well-publicized spear-phishing attack this year. In April a New York teenager was charged with spear phishing 60 AOL employee and subcontractor accounts in retaliation for action taken by AOL in an unrelated matter to suspend his account.

Litan says that there are even more cases of spear-phishing that go unreported.

“Corporations don’t talk about it, but it is really happening,” Litan said. “I just talked to a client yesterday that this happened to and the malware in this case created this backdoor into their server after the user logged on and it was just dumping out intellectual property and taking files.”

Litan believes that enterprises need to improve security on three fronts to protect their employees against spear-phishing attacks and their customers from general phishing attacks.

“What I advise them to use is a three-pronged approach,” she said. “One is they really have to upgrade to stronger authentication. Passwords aren’t good enough. The second layer is fraud detection technologies. And the third leg is transaction verification, preferably out-of-band.”