Like computer viruses, phishing scams were originally launched by malicious hackers eager for bragging rights in the underground. The earliest scammers don’t appear to have done much damage. Things quickly got worse, though, to the extent that organized crime is now involved, according to the FBI’s Internet Crime Complaint Center (IC3).
According to Australian media reports, four high school students were recently charged with helping the mob drain millions of dollars from online bank accounts spanning from Australia to Eastern Europe. The criminals used bogus ads and spam to install Trojans that captured passwords and other bank details. The Australian teenagers were allegedly recruited to help transfer stolen funds into Eastern European-based bank accounts.
“Consumers have grown more educated about common phishing and identity theft,” says Sophos’ Mastoras. “Unfortunately, organized criminals are responding with more sophisticated techniques.”
These days, criminals aren’t just intent on clearing out entire accounts, they’re also out to drain data stores of log-in IDs, passwords, and other sensitive data to use for their next crime. Phishers want real payback and are going to great lengths to get it. Poorly conceived phishing scams, those with misspellings and peculiar English — when was the last time your bank called you “darling"? — are being replaced by technological tricks that often don’t even require the user to click on a URL.
Click for larger view.
“[Phishers] will … begin to target the customers of any business that has an online component,” says Natasha Staley, an information security analyst at MessageLabs, a provider of managed enterprise e-mail security solutions.
Phishing can also affect network security. For example, if users are allowed to choose their own log-in names and passwords, it’s likely they use the same ones on many networks. When phishers know John Smith logs in as Jsmith13 and uses the password “superman” at eBay, they’ll scour online postings and databases for more information about Smith. If they discover he works at your company, they can try to access your network by signing in as JSmith, superman.