The Phishing Epidemic
By N. Raghavan
Bangalore, Oct 22, 2007 1229 hrs IST

You can afford to dismiss Internet spam as a nuisance. But phishing and identify theft are, obviously, something else. Simply put, phishing is an ingenious method to gain access to your private - and valuable - personal information. Without your knowledge and permission, of course. Phishing uses email and web site formats that look similar to those of legitimate businesses. The idea is to lure people to these seemingly genuine sites and persuade them to part with personal information as, for instance, credit card numbers. Typically, these web sites use fake sign-in pages for popular online services, particularly online auctions sites, online payment processors, or online banking. According to McAfee Avert Labs, the number of phishing web sites has been increasing exponentially, and there's no slowdown in sight. Almost 70% of spam and nearly all phishing scams are delivered through bots or botnets. Bots are computer programs. Once installed (without the knowledge of the user) they give cybercrooks total control over PCs. A network of compromised computers represents processing power and bandwith that can be exploited by scammers to send emails in large volumes. Millions of computers on the Internet are part of bot networks, and the largest bot networks are believed to have over 1.5 million machines. Recently, a more targeted form of phishing - spear phishing - has emerged. Unlike conventional phishing, spear phishers target just one organization at a time. A new tribe of phishers, called Vishers, has also arrived on the scene. Vishers use VoIP technology to target Internet users by hijacking identities and stealing money. Phishing apart, keyloggers and social engineering are the other commonly used methods employed by cyber criminals to great effect. Keyloggers are software or hardware tools used to capture the user's keystrokes from the keyboard. Compared with software keyloggers, hardware keyloggers are more difficult to detect, as they don't install any code onto the machine and can't be detected by traditional anti-virus or anti-spyware tools. Ironically, keyloggers are easily available in the market, as they have some genuine applications as well. But that also means fraudsters have no trouble accessing and using them to spy - and steal. In 2006, keylogging was reportedly the fastest-growing type of malware, and the trend is expected to carry on through 2007. While keyloggers are mainly used to steal user account information from online gamers, they're finding a new application - industrial and political espionage. What's more, there's geographical angle, so to speak, to malware. According to researchers at Sophos, 30% of all malware spotted in 2006 originated in China. In fact, China ranks next only to the U.S, when it comes to hosting malware on the web. Enterprises in India aren't immune from phishing attacks. In recent times, a major bank and a leading private sector airline have been targeted, among others. Not surprisingly, CIOs are concerned. According to a recent survey by security firm, Websense, 65% of Indian CIOs are very concerned about security threats emanating from the web. Of these, the most concerned about 'web security' (79%) were CIOs of large enterprises. The CIOs from Mumbai (72%) and Bangalore (71%) seemed more concerned about web threats as compared to IT decision makers from Chennai (51%) and Hyderabad (45%). The survey also revealed that 57% of the Indian enterprises have received phishing lures during the last 1 year and over a third of Indian companies (38%) were attacked by spyware. In sum, despite efforts at control, phishing is getting more sophisticated - and the phishing phenomenon has accelerated and widened its net. Things have come to such a pass that you can even find phishing and hacking kits being marketed in underground Internet forums! Related Links: Banks Face Increased Security Threats "10% of phishing attacks are targeted at India" Phishing Mail Targets ICICI Customers