Say the word phishing, and there are people who would probably begin to think back to a quiet day on a boat. But the kind of phishing that begins with a “ph” is far from relaxing, and it is on the rise.
According to a new report from Kaspersky Lab entitled ‘The Evolution of Phishing Attacks: 2011-2013’, an estimated 37.3 million Internet users were hit by phishers between 2012 and 2013. That represents an 87 percent increase from between 2011 and 2012, with most of the users being targeted residing in Russia, the U.K., India, Vietnam and the U.S.
The top two ways that phishing attacks are spread are through the Internet (87.91 percent) and email (12.09 percent).
“It’s easiest to encounter a link on a phishing site while using the Internet: banners to legitimate websites, messages on forums and blogs, and private messages on social networks can all turn out to be a ruse,” according to the report. “Although phishing links are encountered much less frequently in email than on the Internet, over the course of one year, phishing schemes in email still rose 1.86 percentage points from 10.23 percent in 2011 – 2012 up to 12.09 percent in 2012 – 2013.”
Phishing attacks were most often launched from the U.S., the U.K. Russia, Germany and India. The top targets of malicious users are Yahoo!, Google, Facebook and Amazon. Other common targets include financial organizations, with more than 20 percent of all attacks targeted banks and other businesses in the industry.
Overall, the research found that more than 50 percent [921] of the 1,739 names of companies and services in the Kaspersky Security Network [KSN] database that have been used by phishers are fake copies of website and banks and other credit and financial organizations. The number of names increased 250 compared to two years ago.
“The more popular a website is, the more frequently malicious users copy it and, as a result, there is a higher probability that a user will run into a fake version as he surfs the web,” according to the report.
“The number of attacks against one or another online resource may correspond directly to its popularity,” the report states. “For example, the percentage of attacks involving phony Yahoo! sites in the total phishing volumes has fallen alongside the company’s decreased share of the web search market and other online services, while Amazon’s percentage has grown markedly, in line with the company’s success on the e-commerce market and the successful launch of its tablets.”
While phishing attacks on consumers using those types of services online have risen, phishing has also become a popular tactic for attackers launching sophisticated attacks against businesses as well, noted Dmitry Bestuzhev, head of the global research and analysis team for Kaspersky Lab’s arm in Latin America.
“Nowadays many APTs run on spear-phishing attacks as the first stage of the attack itself,” he said. “Why is this so? The answer is easy, many email addresses are just public, also it’s the shortest way to get to the final victim trespassing many filters which may exist in the company like it would be in case of an USB infection where not all USB devices might be admitted to be used by physical restriction and also control device management on the network level.”
“Another reason why spear-phishing attacks are many times the first step is even very experience IT sec people may become a victim when the message is very well dressed with fake info closed to be real or even using a part of the messages as real information,” he added.
While there has been some debate as to whether or not security training programs are beneficial for employees, the focus should not be solely on education or solely on technology, he said.
“The education of the end-users is a very important task despite being a very hard task and many times almost impossible,” he said. “I say this is important because basically this is the last defensive line a company has. If all IT filters were trespassed it does not mean yet the company got automatically compromised but the last chance goes up to the victim and if the victim is enough skilled, he may break the circle and it least report suspicious message to IT Sec people.”
“At the same time there is a very big need in inventing of new technologies working not with a classic phishing or spam, but spear-phishing attack,” he added. “The approach must be different of course.”