Network News

X My Profile
View More Activity

Phishing Attacks on the Wane

Phishing attacks have fallen out of favor among cyber crooks who make a living stealing personal and financial information, according to a report released this week by IBM. Instead, attackers increasingly are using malicious Web links and password-stealing Trojan horse programs to filch information from victims, the company found.

The analysis from X-Force, IBM's security research and development division, notes that Trojan horse programs are taking the place of phishing attacks aimed at financial targets. The company found that throughout 2008, phishing volume was, on average, 0.5 percent of overall spam volume. In the first half of 2009, however, phishing attacks fell to an average of 0.1 percent of spam volume. The targets of phishing attacks also changed, IBM says: In the first half of 2009, 66 percent of phishing schemes targeted the financial industry, down from 90 percent in 2008.

I looked at the number of phishing sites tagged over the past few years by, which tries to crowdsource the identification of phishing sites. The decline in phishing became particularly noticeable in 2009. In August 2008, Phishtank members had identified more than 11,616 distinct phishing Web sites. By comparison, the community has turned up fewer than 3,330 of them this August (click the image below for a larger version of my no-frills graphic, based on Phishtank's monthly data).


IBM says the number of new malicious Web links is up 508 percent in the first half of 2009. Many of these links appear on trusted sites, such as search engines, bulletin boards, personal Web sites, online magazines and news sites, the report says.

"There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware," writes X-Force Director Kris Lamb. "We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

These legitimate sites typically are mass-hacked through common Web site vulnerabilities or misconfigurations, such as those that allow so-called SQL injection attacks, in which criminals inject malicious code into Web sites with the goal of infecting visitors. IBM found SQL attacks rose 50 percent from the last quarter of 2008 to the first quarter of 2009, and then nearly doubled in the second quarter of this year.

Web vulnerability scanning firm ScanSafe recently blogged about some 55,000 Web sites mass being compromised with malicious links via SQL vulnerabilities. Several other major mass-compromises resulting from SQL weaknesses were discovered earlier this year.

If you operate a Web site, there are some decent, free tools available to help protect your site from SQL attacks. I wrote a column about them last year, and some of our loyal readers suggested their own favorite tools in the comments section.

The malicious links most often left behind on hacked sites are known as "IFRAMES", or lines of scripting code that invisibly redirect the user's browser to a site that tries to install a Trojan horse program. The noscript and request policy add-ons for Firefox can help users load only the scripts they want for any Web page, and are among the best lines of defense against malicious scripts.

A copy of the IBM report is available here (PDF).

By Brian Krebs  |  August 27, 2009; 12:39 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  | Tags: ibm, phishing, sql injection  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: U.K. Govt: Spammers Before Downloaders?
Next: Snow Leopard's Anti-Malware Feature


Why I just love phishing and other fraud e-mails.

So far this year alone, I have SUPPOSEDLY won more money in lotteries [American Tobacco seems popular just now, even though e-mails appear to originate from Chinese sites.]

They ALL get forwarded to -----------

If they come back bounced, it means that site is temporarily overloaded, your forward was not rejected. You can usually resent immediately.


Posted by: | August 28, 2009 12:36 AM | Report abuse


If there are also private research sites that might want copies, please list them.



Posted by: | August 28, 2009 12:39 AM | Report abuse

I've followed your advice and am a Limited User now. Does that mean that these scripting attacks will not affect me?

Posted by: elibake | August 28, 2009 11:41 AM | Report abuse

The link you posted to this
55,000 Web sites mass being compromised

leads to an article about wi-fi WPA weakness
not the intended article

Posted by: amthmi | August 28, 2009 2:26 PM | Report abuse

@amthmi -- thx for the note. I've fixed that link.

Posted by: BTKrebs | August 28, 2009 4:37 PM | Report abuse

With the number of mass compromises through retailers, like the following: , I am not too surprised that the number of phish sites has decreased. If you consider the effort it takes to make a phish site, the reward seems little if there are wholesalers selling "bulk" at a discount.

At the same time, Banker Trojans are spread through various means - like this baby E-card malware here continues to give phishers information without getting their phish sites constantly shut down.

Phishers are still very much active out there even in the midst of a decrease of bank phish sites.

Savio Lau, SophosLabs Canada

Posted by: saviolau | August 28, 2009 8:35 PM | Report abuse

This sort of confirms the view that phishers just aren't making much money:,1000000189,39589445,00.htm

You've got more and more phishers chasing fewer and fewer people who haven't heard of it. Nothing lasts forever.

Posted by: bobl4 | September 1, 2009 12:15 PM | Report abuse

Phishing attacks may be on the wane, but if I'm doing my math right, there's still 100 million phishing emails getting sent each day.

Posted by: pmoriarty | September 1, 2009 12:20 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company