Posted by Virus Bulletin on Apr 16, 2008
As UK banking body reports major increase in phishes, PayPal unveils blocking strategy.
A report from the UK payments industry association APACS has shown a dramatic increase in phishing incidents, with the number of reports for Q1 of 2008 up 200% on the same period last year. Meanwhile major phishing target PayPal, the online payment system owned by eBay, has issued a detailed report on its efforts to minimize the dangers of phishing to its business and its users.
The APACS report carries figures from phishing reports made to BankSafeOnline, a cross-industry project supported by banks aimed at educating online banking users of the risks of scams, phishing and spyware and how to mitigate them. The statistics show over 10,000 incidents were reported to the organisations' hotlines in the first three months of the year, compared to just under 3,400 in the first quarter of 2007. the number of reports increased steadily throughout 2007, and the trend looks set to continue. Actual losses have gone down by around 30% in the same period, and both trends possibly reflect greater user awareness of the dangers of phishing and improved ability to spot suspect messages.
Over at PayPal, the online money-transfer system's security team have put together a detailed white paper discussing their current and future tactics for reduce financial losses and damage to their customers' user experience caused by phishing. One significant strategy is a movement towards implementation of email authentication standards, encouraging ISPs to drop spoofed mails rather than delivering mails with fraudulent content to their users. While the plan involves considerable cooperation from a wide range of infrastructure and software providers, a long-term trial of DomainKeys and SPF techniques has been running in conjunction with Yahoo!'s email system since October 2007, and has shown considerable benefits for Yahoo! users. As this strategy is being promoted, a stop-gap measure of certifying mails has also been trialled.
Beyond the email level, PayPal has also been active in gathering data on phishing scams and taking down spoofed websites, cooperating with blacklisting systems and providing user education through a number of initiatives. At the desktop level, the company is developing new systems to encourage, and eventually force, users to run more secure systems, alerting visitors arriving at their sites using out-of-date browsers and possibly in future denying access to those who are running older, insecure software. More advanced user authentication techniques, including personal security keys, are also in use in some areas and should expand to further territories in the near future.
As a result of these initiatives, PayPal has found levels of phishing targeting its services have dropped considerably in the past two years. The report can be found (in PDF format) here, with a blog entry on the findings from PayPal Chief Information Security Officer Michael Barratt here.
Full details of the APACS report are in a release here. Some details of the latest subtle phishing tactics, targeting credit card companies' online verification systems, are on the SophosLabs blog here and here.
Posted on 16 April 2008 by Virus Bulletin
