Last visit was: Sat Jul 05, 2014 12:48 pm
It is currently Sat Jul 05, 2014 12:48 pm

'Phishing' dries up - are scammers changing their game?

All times are UTC - 5 hours [ DST ]

 [ 5 posts ] 
Author Message
 PostPosted: Thu Aug 27, 2009 1:14 pm   
Spam Observer
User avatar

Joined: Thu Aug 14, 2008 3:48 pm
Posts: 79

Internet criminals might be rethinking a favourite scam for stealing people's personal information.

A report due from IBM shows a big drop in the volume of "phishing" emails, in which fraud artists send what looks like a legitimate message from a bank or some other company.

If the recipients click on a link in a phishing email, they land on a rogue website that captures their passwords, account numbers or any other information they might enter.

IBM's midyear security report found that phishing accounted for just 0.1 per cent of all spam in the first six months of this year. In the same period in 2008, phishing made up 0.2 per cent to 0.8 per cent of all spam.

It's not clear what, if anything, the decline means. (It also doesn't appear to be a statistical illusion caused by an increase in other kinds of spam. IBM said overall spam volume hasn't expanded, like it did in years past.)

"That is a huge, precipitous decline in the amount of phishing," said Kris Lamb, director of the X-Force research team in IBM's Internet Security Systems division, which did the report. But "I wouldn't tell anybody that phishing has died as a threat."

Lamb believes phishing might have fallen off because computer users are getting smarter about identifying phony websites. Security software is also getting better at filtering out phishing sites before Web surfers ever seen them.

It could also be that criminals are moving on from phishing to another kind of attack, involving malicious software. IBM said it is seeing more instances of "Trojan horse" programs, which are used to spy on victims.

Dean Turner, director of Symantec's global intelligence network, who was not involved in IBM's research, said Symantec has also noticed less phishing, but warned that it could increase again later in the year.

Phishing scams spike around the holidays, he said.

IBM found that criminals are changing the types of businesses they attack with phishing. Sixty-six per cent of phishing targets were banks, down from 90 per cent last year. Meanwhile, companies that handle online payments, like PayPal, are being mimicked in phishing messages more frequently.

To protect yourself against phishing, access sensitive sites on your own, rather than by following links in emails, which might lead to phishing sites.

Then there's this comment on the Full Disclosure mailing list:

Greets from the deep dark recesses of the internet. Now, back to
this incredibly difficult and intractable problem of phishing.

X-Force have apparently put out some kind of press release announcing
a large drop in phishing volumes.

If I may just repeat what I said a year ago...

> In reality, RED will terminate the game voluntarily when phish revenue per
> hour falls below revenues per hour available from other sources.

Of course, I can't claim that wide-scale filtering, which is what I
was advocating last year, did the trick, as there was none. Instead,
I'll claim that RED discovered for themselves that Average Revenue
Per Mail was too low to be attractive, relative to other sources.

Continuing in this line of reasoning, what will happen next, is that
RED will concentrate resources on more profitable revenue streams,
and consequently, de-skill and de-tool on the less profitable streams
such as phishing. Later, if they try to go back to phishing, they
will find they need new techniques and also, a new version of their
generator software, neither of which will be easy to come by.

So I'm going to call it and say this ship is leaving, and it's not
comin' back. There was only ever going to be a small window of
opportunity for RED to attack, before BLUE and GREEN wised up, and it
seems that window is now closing.

I would add that the Browser detection + better bank indicators + some banks FINALLY getting EV certifications has helped. But I think phishing will always stick around in some form - it's too successful and the login information is too valuable to stop pursuing it.

 PostPosted: Thu Aug 27, 2009 2:02 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
this is a good find, moike, seeing what the trends over a long period of time used by cybercriminals is interesting.

 PostPosted: Thu Aug 27, 2009 4:38 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
I'm still seeing plenty of phishing emails, though maybe not so much of the fast flux rockphish stuff. Two thoughts:
-- A large percentage of what I do get lists the phish domain way down in the email body. The spam gets truncated by Mailwasher before it is sent to Spamcop if I don't manually download the rest of the email. Other phish spams repeat the URL of the real company so many times in the email that Spamcop stops parsing because of "too many URL's." That may be affecting other types of monitoring systems as well, causing an undercount of phish.
-- Phishers could be blocking certain IP addresses, including law enforcement, computer security companies, and even known Tor exit nodes the way pharma spammers do. You would think the smart people at IBM would be able to tell the difference between their IP being blocked and a site being shut down. You'd think they even would have the ability to visit sites using proxies. But I would have thought that about a lot of registrars, ISP's and friggin' university computer science departments, too. I've often found out otherwise when I've called places up to tell them their servers are hijacked.
-- There could be better detection of spamtraps going on. It's often impossible to view an actual phishing website without a long code number in the URL that surely identifies the email address the spam was sent to. If a someone sees people visiting his phishing site without entering information, especially if they have javascripts turned off, even a spammer could conclude there's a good likelihood that visitor is going to cause him trouble. I'm sure some enterprising spammer has collected a list of spamtrap and spam reporter email addresses he sells to other spammers who want to keep their domains alive longer.

 PostPosted: Mon Aug 31, 2009 9:02 am   
Spam Observer
User avatar

Joined: Tue Oct 14, 2008 8:20 pm
Posts: 72
I see the opposite - getting an increasing number of phising spam, mostly banks, Ally Bank, Bank of America, KeyBank and yesterday a PayPal, that appeared to also contain virus HTML.Phishing.Auction-71.
The url is
I cannot save a copy of this mail, as KIS send it in quaranteen immediately.

 Profile WWW  
 PostPosted: Mon Aug 31, 2009 11:43 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Interesting you all mention this.

I still see plenty of bank spoofs, along with the usual, PayPal, and eBay, I get lots of rockphish like spam, too:

Bank of America
Ally Bank (former GMAC Bank)

For Social Networking Sites, I see Facebook and Habbo spoofs sometimes.

 [ 5 posts ] 

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: Wayback machine and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008