Phishing is one of the most lucrative computer crimes, and it continues to grow rapidly. In April 2006, the number of unique new phishing sites spiked to a record of 11,121, almost four times the 2,584 sites found a year before this is according to the most recent report from the Anti-Phishing Working Group.
You might expect phishers’ fake sites to be easy to recognized by their amateurish spelling mistakes or broken Web graphics. But these days few phishers try to re-create entire bank-site pages by hand. Instead, modern scammers operate sophisticated server-side software that pulls all the text, graphics, and links directly from the target bank’s live site. All of the queries you input go to the real site-except your log-in data. That choice information goes straight to the bad guys.
Some phishing sites have become so smooth that they can even trap cautious and experienced Web surfers. In their “Why Phishing Works” study published by experts at UC Berkeley and Harvard presented test subjects with Web sites and had them look for the fakes. As it turned out, even in the best-case scenario, when users expect spoofs to be present and are not to discover them, many users cannot distinguish a legitimate Web site from a spoofed Web site. In the study, the best phishing site was able to fool more than 90% of participants.
The key for the phisher is to inveigle you into visiting the bogus site. You may be well conditioned not to trust an e-mail missive purporting to be from your bank and asking you to click a link to check your account details. But phishers today are adopting more forceful means to push your browser to their sites.
A malware-enabled technique called smart direction secretly sends your browser to the scammer’s Web site even if you manually type you bank’s correct Web address into the browser. Malware on your machine monitors the availability of dozens or hundreds of duplicate fake bank sites, hosted on computers around the world, and redirects your browser to an available fake site whenever you attempt to reach your bank. And if authorities subsequently close down one site, the smart redirection software on an infected system simply sends the victim to a destination site that has eluded shutdown.
As long as there’s money to be made, criminals will continue to hone their phishing skills and to develop new techniques.