In the thick of National Cyber Security Awareness Month (See our Business Insight for a complete rundown), it seems fitting to raise awareness about the evolution of phishing attacks. Just about everyone who uses the Internet—from home users to global enterprises—is familiar with phishing and could be a potential victim, now more than ever. If you haven’t been terribly concerned about it, you will be once you’ve learned about the latest trends in this insidious technique aimed at obtaining confidential information from users by posing as a trusted authority.

Based on statistics from the Anti-Phishing Working Group (APWG), the number of reported phishing cases set a new record in April, 2007. The number of unique phishing websites detected by the Anti-Phishing Working Group (APWG) was 55,643 in April 2007 [Source: APWG Phishing Trends Activity Report for June 2007, http://www.antiphishing.org]. It rose 166 percent from the previous month and 48 percent from the previous high for phishing URLs in October 2006.

And it doesn’t appear that there will be a slowdown.

According to researchers at McAfee Avert® Labs, it’s likely that we’ll continue to see strong activity for the next six to 18 months. The implications for businesses and consumers are sure to make anyone sit up and take notice. According Gartner, phishing cost U.S. businesses approximately $2.8 billion last year. The average hit per victim—the consumer—was $1244 per person. (Source: www.pcworld.com) And to make it worse, it’s less and less likely than you’ll have a complete financial recovery from a phishing exploit. From 2005 to 2006, the recovery rate had gone from 80 percent of the loss to just 64 percent. In 2006 after recovered funds were factored, victims were out an average of $572. (Source: www.informationweek.com)

Why the resurgence? Cyber criminals view phishing as a highly profitable pursuit, so they’re continually seeking out ways to optimize their attacks to yield better returns. Like other developers, they’re always looking for shortcuts, and a phishing kit is just that—a collection of tools that simplify the process of launching exploits. For just a few hundred dollars, a fraudster can set up shop. Typically, phishing kits include website-development software, graphics, code, and content used to create sites that look like the real thing. Some kits also include lists of email addresses and spamming software to automate mass mailing. All a cyber criminal needs these days is a single computer and a phishing kit to quickly develop and deploy numerous malicious sites.

The Universal Man-in-the-Middle Phishing Kit, sold on hacker’s forums, is one example. With the help of this kit, crooks can easily create a fraudulent URL that communicates with the legitimate website of the targeted organization. Virtually any organization that does real-time business transactions with its customers is a likely target—ecommerce companies, banks, and other financial institutions. At the top of the list of most spoofed brands , according to a recent report [Source: http://www.phishtank.com/images/PhishTank_Annual_Report_10-9-07.pdf], are such notable institutions as PayPal, Ebay, Barclays Bank, Bank of America, Wells Fargo, and JPMorgan Chase and Co. Victims receive a typical phishing email, which may ask them to click on a link to update their personal profiles with social security numbers, credit cards numbers, and other confidential information. If they click on the link, they’re directed to the fraudulent URL, which imports content from a genuine site. But to victims, the website looks exactly like their friendly bank or favorite online shoe store, so they’re lured into filling out forms or making purchases. Meanwhile, the con artist behind the scenes invisibly captures victims’ personal information.

Phishing kits facilitate the development of multiple counterfeit sites using a single domain. In one week (June 11-18, 2007), various research teams, including PhishTank (www.phishtank.com) claimed to have identified more than 110,000 phishing sites, and 99.8 percent of them had apparently been created with deployment kits. The 1110,000 phishing sites used just 111 web domains, which translates to an average of 1,000 sites hosted by malicious web domains. Nearly a third of these domains are apparently located in Hong Kong (.hk). Other countries identified include: Taiwan (.tw), China (.cn), British Indian Ocean Territory (.io), and France (voila.fr.).

The Rock Phish toolkit takes it a step further. Many researchers believe it is responsible for half of today’s phishing exploits on any given day. With the aid of Rock Phish, cyber criminals can create a unique URL for a specific phishing campaigns and then quickly take the URL down when the campaign is over. This technique allows fraudsters to go about their business unimpeded, circumventing anti-phishing modules with blacklists integrated within browsers such as Internet Explorer 7.0 and Firefox 2. It also makes it incredibly challenging for researchers to identify, track, and report phishing sites because they drop off the radar so quickly.

Statistics show a surge in new phishing sites in April of 2007.

In the face of these new developments, what’s the best defense? If you’re a consumer, remember that banks and other reputable institutions never, ever ask for personal information via email. So, think twice before you click on that seemingly innocuous link. If you’re a business that processes online transactions, implement proper protections to keep your customers’ data safe and do regular audits to make sure you’re in compliance with regulatory policies. And no matter who you are, stay abreast of new trends: read the McAfee Avert Labs blog, report phishing incidents you might run across to organizations like APWG, and make sure you have proper email and web filters installed on desktops and at the network level.

Cyber criminals seem to have an enormous capacity for technological innovation and clever strategies. It behooves us all to stay alert and question everything. When it comes to phishing, suspicion may be your best ally.