Phishing Gets Smaller, Smarter

It’s intriguing how phishers are targeting smaller and smaller groups. Not only does it indicate that the bigger banks and institutions are becoming more secure (or their customers smarter) but it indicates that the phishers must be employing increasingly sophisticated methods of harvesting email addresses. Or is there something else afoot?

The Bakersfield Californian yesterday reported an attack on the Kern Schools Federal Credit Union which has, according to its website, 140,000 members and 10 branch offices. That’s actually not a lot of people to target, in spamming terms. Still, up to 25 members got the email and reported it to the union. One must assume many more received it and didn’t report it. The Bakersfield paper went on to say:

As large financial organizations become better at fighting off such phishing attacks, scammers seem to be targeting smaller regional banks and credit unions. Smart phishers are finding sources of e-mail addresses and using them to get in touch with bank customers. “They’re figuring out how to beat the probabilities of targeting people,” said Peter Cassidy, secretary general of The Anti-Phishing Working Group. “I guess this is the same discipline that marketers use.”

In many cases, that’s meant targeting people whose e-mail address is public. “In the past, phishers used to go after mainstream consumer Web sites with millions of users, but now the targets are becoming much smaller and more localized,” Dan Hubbard, senior director of security and technology research at online security firm Websense Inc., said in a statement.

An interesting feature of this chapter in the phishing saga. My guess is that these attacks are from quite different gangs than the original East European/ex Soviet groups that started all this. But I could be wrong. But here’s a thought: Could the customer data have been gathered from a data security breach? Clearly these breaches are a growing worry for financial institutions of any size, as high profile cases have illustrated. Indeed, last December Kern hired a company called Ingrian to secure its members’ data:

“As we looked at the NCUA legislation and the ongoing incidence of security breaches taking place, we decided that it made sense to augment our existing security capabilities by implementing encryption inside our enterprise,” explained David DuBose, vice president, information technology, Kern Schools Federal Credit Union. “After evaluating the alternatives available, we became convinced that Ingrian’s approach—providing a centralized appliance that intelligently manages encryption, keys, and policies—gave us the most secure and most cost-effective way to protect sensitive data.”

i think perhaps it’s time for banks to look proactively at how many of its customers are getting targeted and see whether there is a correlation with missing data (the Privacy Rights Clearing House counts nearly 10 million people — Americans, I assume — whose data has been stolen or otherwise compromised this year.) If there is any correlation between phishing attacks and stolen data, then perhaps banks and other institutions need to be more proactive in warning customers, rather than just posting tardy warnings or warning ‘brochures’ that are in a format (PDF) many customers won’t know how to open and way too big (3+MB) for anyone not on broadband to download.

12. June 2005 by jeremy
Categories: Phishing, Security | Tags: , , , , , , , , , , | 1 comment

One Comment

  1. PDF is a relatively standard format; most modern computers come with the free Adobe Acrobat Reader pre-installed. Also, the same “Consumer Alert” page (http://www.ksfcu.org/default.asp?fileID=185) that links to the phishing PDF has a link to the FDIC at the top of the page (http://www.fdic.gov/news/news/SpecialAlert/2005/sa1105.html), which provides its information in HTML.

    Considering that the majority of the phishing emails I receive are for small banks which I have never heard of, I do not think most phishers are currently attempting to use such strict targeting methods. I would not be surprised, however, if such an occurrence became more commonplace in the future.