Network News

X My Profile
View More Activity

Phishing Attacks Soar as Scammer Nets Widen

Some of the Web's most prolific organized online criminals are starting to step up the frequency and sophistication of phishing attacks, targeting commercial banks, job hunting sites and data brokers, Security Fix has learned.

Typically, phishing scams involve phony e-mails and counterfeit bank Web sites that try to lure unsuspecting users into disclosing user names and passwords. Lately, however, some of the more technically advanced phishing groups have started shifting their sights to higher-dollar targets.

The source of this latest twist in phishing is known as "Rock Phish." These attacks generally involve techniques to avoid new anti-phishing measures. Both the Firefox and Internet Explorer Web browsers include features that alert users if they try to visit a site that has been flagged by security experts. Rock Phish attacks are designed to thwart this "blacklisting" approach by generating multiple, unique Web addresses for each attack, thus making it easier for them to evade phish filters.

The Rock Phish attackers are thought to have pioneered the use of images to bypass spam filters that flag scam and junk e-mails based mainly upon telltale text. The prevailing theory is that whoever is responsible for these highly efficient phishing attacks is making tens of millions of dollars through their efforts and may not take kindly to someone interfering with that income.

No one really knows who's behind these attacks, but sources who spoke with Security Fix suggested that transnational organized criminal groups are likely involved. That explains why some of my best sources steadfastly refuse to talk about Rock Phish scams on the record out a stated fear for their physical security.

A screen shot, taken from, which shows the slight variation in Web addresses used with each Rock Phish attack.

Rock Phish attacks are behind the spike in overall phishing attacks recorded by security monitoring firms. The Anti-Phishing Working Group, an industry consortium, said that in April it recorded the highest number of phishing sites ever reported -- 55,000, nearly 20,000 more than the previous record high logged in October 2006. The spike, it said, was due principally to the proliferation of phishing sites erected by Rock Phish attacks., an open source anti-phishing community, recorded its highest ever number of new phishing sites last month as well -- 77,700. According to the Phishtank blog, close to 90 percent of the new reported phishing sites are generated by Rock Phish attacks.

So what organizations are being targeted by these attacks? MarkMonitor, an anti-phishing company that specializes in disabling phishing sites before they can do much damage, wouldn't say -- its client list is kept private. But Te Smith, MarkMonitor's vice president of communications, said that over the past two months the company has tracked a 100 percent increase in Rock Phish-style attacks against commercial banks, the kind that cater to comptrollers and accounts that businesses routinely use to transfer large sums of money.

Smith said the new Rock Phish attacks "are trying to intercept credentials of people who have access to online services that provide very detailed credit and consumer data." In addition to targeting data brokers, Smith said, the Rock Phish scams also are going after commercial banks, those that service large and medium-sized businesses, in part because those institutions' thresholds for detecting fraud are higher than with consumer banks.

"These [types of customers] are as a matter of course transferring more money, and red flags don't rise as early when large sums transfer," Smith said.

Working with a couple of the aforementioned reticent sources, Security Fix was able to identify a few Rock Phish targets. Perhaps the most disturbing target was Accurint, a division of consumer data gathering giant LexisNexis that provides highly detailed consumer records to law enforcement agencies. Armed with the credentials for an Accurint account, there is virtually no limit to the amount of information criminals could gather about consumers, including Social Security numbers, former addresses, maiden names, and so on. Prominent on the Accurint home page is an alert warning users never to click or follow links to Accurint from e-mail messages.

A currently live phishing site targeted users.

Another target recently folded into the Rock Phish attack stable is job search giant Job-search sites are attractive because many applicants list all kinds of personal data on their resumes, including Social Security numbers and previous addresses. In fact, the image to the left is a screen shot of a fake site employed in a Rock Phish attack that is live as of press time. spokesperson Jenny Sullivan said the company takes fraud attacks very seriously and that it is working with the FBI and other organizations to track down the authors of the phishing attacks. The company also includes on every job posting tips to help users avoid e-scams or becoming victims of fraud.

By Brian Krebs  |  May 24, 2007; 5:20 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Cyber Crooks Hijack Activities of Large Web-Hosting Firm
Next: Apple, Microsoft Issue Security Updates


Considering most of these attacks are origination from outside of the US I fail to see what the FBI can do about it.

______________________________ - The real security Experts.

Posted by: | May 24, 2007 5:56 PM | Report abuse

Money is the root of all evil! Then again, if that were taken away, these scumbags would find some other means to exploit their fellow man. Humans really are vile, selfish creatures! Pathetic!

Posted by: Misanthrope | May 24, 2007 7:52 PM | Report abuse

This ppt gives nice insights how much sophisticated the phisher's attacks are ;)

Posted by: MitmWatcher | May 25, 2007 12:35 AM | Report abuse

That's why these companies should use Trusted Delivery. Then their customers would know that the email is really from the company, and not from a phisher. Check out

Posted by: Simon | May 25, 2007 2:09 AM | Report abuse

Also see this article:

FIRST is a non-profit Global Forum of IT-Security Professionals and IT Security Response Teams.

At the FIRST 2007 Annual Conference, 17-22 June in Seville, Spain, with 85 international speakers, and 6 streams, is a specific working group, committed to tackling the issues around phishing, especially the global co-operation between LEA's and CERTS/CSIRST.

Anyone with an interest in IT Security can attend this conference. More info on the conference is at:

Posted by: Arjen de Landgraaf | May 25, 2007 2:49 AM | Report abuse

Sometimes I fear that the Internet will implode, that is, be besieged with too many scams and fraudulent uses,and the consumers will stop using the Net. I have heard of some businesses actually opting out and using old-fahioned ways: the telephone (land line), snail mail, and Praise be, face-to-face communication. Shades of 1984, Big Brother is getting mighty powerful. If only governments were more honest (the US included);
however, we all have become so dependent, co-dependent, perhaps, on computers. Too bad that such a marvelous invention has become a weapon by terrorists, crooks, and money-grubbers.

Posted by: Susan Dawson | May 25, 2007 11:44 AM | Report abuse

How many of you own a credit-card sized calculator? How many of you were given one as a promotional give-away? These credit-card sized
calculators don't really cost that much. And it wouldn't cost that much to outfit a device like that with a short-range wireless link.

At that point, you'd have a small, convenient, portable device capable of secure input and output.

There's no real reason for a customer to enter their password into an insecure web-form. Especially when the web-form might be operated by a phisher.

Instead, both the bank and the customer should authenticate to a secure device in the customer's possession.

And for a payment transaction, the merchant should also authenticate to the device, and display the amount of the transaction on the little LCD display.

Further, with flash memory, the device should also contain a log of the transactions carried out with it. That way, in case of mistake or fraud, the cryptographically-signed transaction record would be available.

Banking with passwords transmitted over a potentially insecure network is just stupid and really unecessary.

Posted by: nedu | May 25, 2007 2:06 PM | Report abuse


I think you are describing a secure method of "pushing" from an account instead of "pulling" the money using a credit card system. It will never fly now that the banks have bought into the credit card business as a way of generating fees and making high interest loans. Vendors would no longer need massive databases of personel information for crooks to steal. This idea would never be accepted.

Posted by: Bud | May 30, 2007 9:57 PM | Report abuse

Let us not forget that maybe only 4 companies are being sued for putting some digits of your credit card and the expiration date, but their are probably more companies doing it that arent even being touched. For example, FASTRIP 19, and CONOCO do the same thing and I have my receipts and I am shocked. I think that in this day and age that the less a potential thief of identity has to work with is not a bad thing. Are these companies just too lazy? Big fat cats who only care about making money and screwing their secretaries than ensuring their customers complete protection. Hmmm, I think so!!!! Well, I will never shop at these companies ever again until they fix the problem. I hope many others follow suit. Doesnt anyone remember to dump the tea in the harbor for their rights?

Posted by: tattoofreak_6969 | June 9, 2007 7:53 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company