Online security threats reaching more small retailers, expert says

As larger retailers stiffen their defenses against e-mail phishing attacks that spoof brands and steal customer information, more smaller retailers are being targeted, says Dave Jevans, chairman of the Anti-Phishing Working Group. “We’re seeing smaller companies being spoofed,” he tells InternetRetailer.com.

Jevans notes that early results from July show an increase in the number of small retailers that have become caught up in phishing attacks, where criminals use a company’s brand name or IP address in attempts to fool e-mail recipients into revealing personal information like credit card account numbers and passwords. Phishing e-mails contain messages that try to convince consumers to click to a spoofed web site that appears like a legitimate retailer or financial institution; once on the spoofed site, consumers are asked to update their personal information.

Although APWG didn’t have a final number of retailers that have been subjected to such attacks, the growth is part of the overall rise in efforts to attack computers with malicious software designed to steal information, Jevans says.

IRCE 2008 Conference Multi-Media CD-ROM

There were 174 new and unique pieces of malicious software distributed through the Internet in July, up from 154 in June, 79 in May and less than 20 in January, Jevans says. The malicious software, often delivered as spyware with various means of stealing information, is an outgrowth of software viruses designed more simply to disrupt computer operations. “The guys who used to write viruses have realized they can write malicious software code as spyware and get paid for it,” Jevans says.

One common intent of spyware is to turn attacked computers into “botnets” or “zombies,” which can be then be used to send out e-mail spam as phishing attacks, Jevans says. The effect can bring exponential increases in the number of recipients of phishing attacks. Each distributed malicious code could infect thousands of computers, each of which could then begin sending phishing attacks.

There are new tools available to prevent consumers from going to spoofed sites, but even these tools can cause problems for retailers, Jevans says. Consumers are beginning to use web browsers with built-in blacklisting tools for identifying phishing sites. When a consumer enters a web address into the browsers URL window, a pop-up will alert her that that address has been blacklisted as a potential phishing site.

But some legitimate sites hacked by malicious code can be mistakenly identified by these tools as phishing sites, Jevans says. “In the last six weeks, as browser blacklists have been used by more people, we’re starting to see complaints that legitimate sites are being blocked,” Jevans says.