Phishers Drop Hooks Into Smaller Streams

By Brian Krebs Staff Writer
Monday, January 24, 2005; 9:48 AM

As the nation's largest financial institutions deploy increasingly sophisticated measures to prevent Internet scams, online fraudsters are targeting smaller, regional U.S. banks whose customers may be less attuned to the threat.

Experts say the shift is the latest trend in a technological arms race between Internet con artists dubbed "phishers" and the e-commerce and banking companies they target. Phishers use fake Web sites and e-mail messages in an attempt to trick customers into disclosing valuable personal financial information.

"We have found that financial institutions and other targets are starting to purchase and deploy solutions to help battle phishing," said David Jevans, chairman of the Anti-Phishing Working Group (APWG), a coalition of banks and technology companies. "As they do this, phishers are starting to move on to softer targets."

The majority of attacks still involve a handful of global financial institutions with hundreds of billions of dollars in assets. These banks are attractive targets because they often boast large numbers of customers who opt for online banking services.

The new targets, by comparison, often operate in only a handful of U.S. states and serve fewer customers. In October, phishers first targeted customers of Madison, Wisc.-based First Federal Capital Bank, which has 90 branches in three states and about $3.3 billion in assets.

In November, scams struck Wayzata, Minn.-based TCF Bank and Columbus, Ohio-based Huntington Bancshares Inc., each a regional institution covering six states. That same month, attackers hit People's Bank, which has branches only in Connecticut.

The new attacks varied in complexity, but all shared a common technique. Bank customers received an e-mail message urging them to update or verify their account data. A link in the message took them to a genuine-looking bank Web site -- actually a fake created by the attacker -- where any information entered would fall into the hands of the e-mail sender.

The shift toward targeting smaller banks coincides with a surge in the number of phishing attacks recorded in 2004. The Anti-Phishing Working Group found 9,019 new and unique phishing e-mail messages in December, nearly four times the number reported in August. The group tracked 1,707 phishing Web sites in December, a 24 percent increase from November.

Even a scam that nets just one or two active credit card accounts out of a million solicitations can be a profitable haul, said security expert Ken Dunham of Reston, Va.-based Internet security firm iDefense.

"Your average credit card has a limit of about $5,000," Dunham said. "The startup costs for these kinds of attacks is next to nothing, so in many cases the phisher only needs to snag a few accounts before it becomes worth the effort."

In addition, customers of smaller banks may not be as experienced in dealing with such scams, said Rod Rasmussen, director of operations for Tacoma, Wash.-based Internet Identity, which helps banks and other online-fraud targets combat phishing Web sites.

Phishers hope they can "hit the mother lode with a small bank that's communicating with their customers in a way that makes them more susceptible ... than maybe they should be," Rasmussen said.

CONTINUED     1        >

© 2005 The Washington Post Company