Thursday, May 28, 2009

80% of Phishing Attacks Use Hijacked Websites

I've blogged about this subject plenty of times over the last year, and my concern is specifically targeted towards the inherent weaknesses in the username/password systems used with online banking. If a consumer is tricked/phished into providing their username/ password, then the phisher is successful.

The average phishing attack results in a loss of $350 to a bank.

According to research firm,Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers) "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)
Guess what? The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers.

HomeATM provides a very simple cure to this maliciousness. Use a PCI 2.0 certified SwipePIN device and require online banking users to swipe their bank issued card and enter their bank issued PIN. The data is encrypted and is NEVER in the clear. So, in the event a consumer is tricked into swiping and entering their PIN, as opposed to typing in their log-in credentials, the phisher has nothing.

And nothing is something banks should want phishers to have.

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites - DarkReading

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites
New research from the Anti-Phishing Working Group shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

May 27, 2009 | 04:23 PM
By Kelly Jackson Higgins
DarkReading

It used to be that researchers could sometimes track a phishing exploit by the notorious cybercrime ring behind it, like the Rock Phish gang, but no more: New research from the Anti-Phishing Working Group (APWG) has found that most phishers are setting up shop on legitimate Websites to be inconspicuous when they steal valuable information from victims.

In the second half of 2008, roughly 57,000 phishing attacks worldwide targeted a specific brand or organization, up from around 47,300 in the first half of 2008, according to a newly released report (PDF) from the APWG. The attacks were waged on 30,454 different domain names, only 5,591 of which were domains the phishers set up themselves. The rest were from legitimate Websites they had hijacked to carry out their exploits.

The average amount of time a phishing site was up: 52 hours, according to the report.

Continue Dark Reading


Reblog this post [with Zemanta]

Disqus for ePayment News