The number of phishing sites heads south

But online payment services are second after banks to get the most phishing attacks.

Paul Demery

The number of phishing sites that attempt to steal consumers’ payment account data declined steadily for six months last year, according to the latest report from the Anti-Phishing Working Group, a not-for-profit organization that provides information on Internet fraud. The number of e-mail phishing attacks also declined, and security experts suggest some criminals may have moved on to other forms of committing online fraud.

Phishing attacks are efforts by criminals to make an e-mail or web site look like that of legitimate brands to typically try to convince unwitting consumers to click to a phishing site to update their payment account information. Criminals then usually either sell that information to other criminals or use it to conduct fraudulent purchases. The APWG monitors worldwide web site activity to track phishing attacks.

In the APWG’s most recent report, which is for the third quarter of 2012, it notes that the worldwide number of phishing sites declined 25.8% from 63,253 in April 2012 to 46,895 in September. The number of phishing attacks (or phishing e-mail campaigns) reported to the APWG rose from 25,850 in April to 33,464 in May, then declined to a six-month low of 21,684 in September. The all-time high in the number of reported attacks was 40,621 in August 2009.

While the amount of phishing sites and attacks are down, the number of attacked brands continues to fluctuate, the APWG says. Although the number of attacked brands across all industries declined from 426 in July 2012 to 395 in September 2012, the September figure was still higher than the 329 brands targeted in the same month in 2011.

The APWG also reports that, as in past years, banks continue to be targeted the most in phishing attacks, accounting for 34.4% of attacks in the third quarter. Coming in second in that period were online payment services, at 32.1% of attacks, followed by retailers, at 7.8%.

Among countries that host the most phishing sites, the top three as of September 2012 were the United States (73.04%), the United Kingdom (3.69%) and Kazakhstan (2.09%), the APWG says.

The low cost of running phishing attacks make it unlikely they will ever disappear, says Ihab Shraim, chief information security officer and vice president of anti‑fraud engineering and operations at MarkMonitor, an APWG member firm that provides technology and services to protect the online reputations of brands and deter attacks.

Moreover, declines in phishing activity don’t necessarily mean an overall drop in attempts to steal consumer data, the APWG says.

ʺSome professional phishers have moved from perpetrating mass phishing campaigns to exploit‑style malware attacks,ʺ says Rod Rasmussen, president and chief technology officer of Internet Identity, a provider of web security technology and services and a member firm of APWG. Such malware attacks may lure consumers through e-mail or other means to click on an attached file or link to a web site that automatically downloads malicious software, or malware, to their computers to steal information, such as their payment card account information.

As of September 2012, about 30% of the world’s personal computers were infected with some type of malware, the APWG says. The countries with the highest infection rates were China (53.1%), South Korea (52.7%) and Turkey (42.51%). By comparison, Ireland had the lowest rate noted by the APWG, at 18.40%. The report didn’t note a rate for the United States, and an APWG spokesman didn’t immediately return a request for more information.

More information on payment security vendors is available here


e-commerce, e-payments and security, e-retail, industry statistics, MarkMonitor, Phishing