Phishing at record levels in March
27 Apr 2006


The monthly report for March by the Anti-Phishing Working Group shows that phishing activity remains at very high levels. The number of attacks has for the first time in history passed the 18,000 mark and reached an all-time high of 18480 registered unique phishing reports.
Overall the number of attacks so far this year has not gone below 17,000, which in itself is higher than the number of attacks in any given month in 2005.

The number of unique phishing websites found by APWG has also risen to 9666, but did not reach the record level of 9715 phishing clone sites set in January. An interesting fact here is that the number of unique phishing sites has grown nearly two-fold from an average of 4,000 in 2005, but the number of attacks has not risen as dramatically to about 17,000 from 14,000. This might indicate that phishing sites are being closed down faster and phishers do not get the opportunity to use their clone sites for long, thus needing more and more sites to keep the number of attacks at the same level.

Another interesting aspect of the March report is that the number of brands used by phishers as their cover has decreased significantly, going from 105 in February to just 70. The financial sector remains the largest targeted industry group by far with 90% of the share. The USA also remains the largest single hoster for phishing sites with 35% of sites based there. China consolidates its second spot ahead of South Korea, but its share drops significantly from 18% in February to "just" 12%, while France drops out of the top 10 altogether.

Phishers also readily pounced on the browser vulnerabilities that were reported in March. They exploited the widely publicised "zero-day" vulnerability in Microsoft Internet Explorer by luring users to infected sites that contained all sorts of malware ready for surreptitious downloading. One of the more creative attacks involved sending victims a link to a BBC look-alike page that contained an exploit for the then-unpatched createTextRange vulnerability in Internet Explorer.

Another new type of phishing attack was recently reported by security firm Cloudmark, which claims that VoIP technology is now used by phishers. In this new type of attack scammers send an email that contains a telephone number accessible via a VoIP service. The victim is then connected to a line that sounds like their telephone banking service and is prompted to verify personal details. So far Cloudmark has discovered two attacks that use this scheme.