washingtonpost.com  > Technology > Tech Policy > Security

Quick Quotes

Phishers Drop Hooks Into Smaller Streams

Online Scam Artists Now Targeting Regional-Bank Customers

By Brian Krebs
washingtonpost.com Staff Writer
Monday, January 24, 2005; 9:48 AM

As the nation's largest financial institutions deploy increasingly sophisticated measures to prevent Internet scams, online fraudsters are targeting smaller, regional U.S. banks whose customers may be less attuned to the threat.

Experts say the shift is the latest trend in a technological arms race between Internet con artists dubbed "phishers" and the e-commerce and banking companies they target. Phishers use fake Web sites and e-mail messages in an attempt to trick customers into disclosing valuable personal financial information.

_____Recent Phishing Articles_____
Technology Fueling Wave of Phishing Scams (washingtonpost.com, Jan 18, 2005)
It's Been a Day-to-Day Battle With Intruders (The Washington Post, Dec 26, 2004)
Companies Forced to Fight Phishing (washingtonpost.com, Nov 19, 2004)
How to Fend off Phishing (washingtonpost.com, Nov 18, 2004)
Phishing Feeds Internet Black Markets (washingtonpost.com, Nov 18, 2004)
_____Cyber-Security_____
George Mason Officials Investigate Hacking Incident (The Washington Post, Jan 13, 2005)
Microsoft Releases 3 New Windows Security Patches (The Washington Post, Jan 12, 2005)
Another Computer Security Official Quits (The Washington Post, Jan 12, 2005)
More Security News

"We have found that financial institutions and other targets are starting to purchase and deploy solutions to help battle phishing," said David Jevans, chairman of the Anti-Phishing Working Group (APWG), a coalition of banks and technology companies. "As they do this, phishers are starting to move on to softer targets."

The majority of attacks still involve a handful of global financial institutions with hundreds of billions of dollars in assets. These banks are attractive targets because they often boast large numbers of customers who opt for online banking services.

The new targets, by comparison, often operate in only a handful of U.S. states and serve fewer customers. In October, phishers first targeted customers of Madison, Wisc.-based First Federal Capital Bank, which has 90 branches in three states and about $3.3 billion in assets.

In November, scams struck Wayzata, Minn.-based TCF Bank and Columbus, Ohio-based Huntington Bancshares Inc., each a regional institution covering six states. That same month, attackers hit People's Bank, which has branches only in Connecticut.

The new attacks varied in complexity, but all shared a common technique. Bank customers received an e-mail message urging them to update or verify their account data. A link in the message took them to a genuine-looking bank Web site -- actually a fake created by the attacker -- where any information entered would fall into the hands of the e-mail sender.

The shift toward targeting smaller banks coincides with a surge in the number of phishing attacks recorded in 2004. The Anti-Phishing Working Group found 9,019 new and unique phishing e-mail messages in December, nearly four times the number reported in August. The group tracked 1,707 phishing Web sites in December, a 24 percent increase from November.

Even a scam that nets just one or two active credit card accounts out of a million solicitations can be a profitable haul, said security expert Ken Dunham of Reston, Va.-based Internet security firm iDefense.

"Your average credit card has a limit of about $5,000," Dunham said. "The startup costs for these kinds of attacks is next to nothing, so in many cases the phisher only needs to snag a few accounts before it becomes worth the effort."


CONTINUED    1 2 3    Next >

© 2005 TechNews.com