Netcraft. the British Internet security consultancy, highlight a new Honeynet Report on Traffic to Phishing Sites, showing that despite months of intensive anti-fraud education efforts by the banking industry a lot of people still click on through to fraudulent phishing sites:
The study of phishing scams hosted on cracked web servers from The Honeynet Project documented two recent attacks that attracted hundreds of click-throughs from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in Chinat.
The data from The Honeynet Project, which monitors activity on hacked computers, suggests that bank customers may exercise somewhat greater caution that PayPal users when presented with fraudulent electronic mails. Phishers’ behavior reinforces this assumption, as eBay and its PayPal subsidiary are far and away the most frequent targets in those attacks reported by the Netcraft Toolbar community. But the steady traffic to scam sites demonstrates that a significant number of bank customers are still being tricked by bogus e-mails.
Perhaps the most worrying part of all this, apart from people’s continued gullibility, is that phishing operations are becoming even more nimble in deploying scam infrastructure across networks of compromised servers, using automated attack tools and prepackaged spoof sites to speed their work. These include pre-built archives of phishing web sites targeting major online brands being stored, ready for deployment at short notice … (and) propagated very quickly through established networks of port redirectors or botnets according to the report. The report also suggests that organised groups are behind the setting up of bogus sites and the distribution of phishing email.
As Netcraft concludes: The banking industry and online retailers have emphasized customer education in their response to phishing. But the persistent traffic to scam sites underscores the importance of additional proactive defensive measures to protect customers from their own bad habits and the technical innovations of phishing scams. I would agree: I don’t claim to know much of what banks are doing in this area, but I have a strong suspicion it’s not enough. It’s certainly not enough to assume that educating the user is going to stop the problem, or even a bit of it. Banks have got to invest big time in tracking these scams, stopping them before they start (if the Honeynet project can do it, why can’t the banks?)