Story on APWG report from Mary Ellen Zurko on 2006-09-13 (public-usable-authentication@w3.org from September 2006)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 13 Sep 2006 08:44:33 -0400
To: public-usable-authentication@w3.org
Message-ID: <OF3270EFDF.C030A5D5-ON852571E8.0045DA00-852571E8.0045FF8D@notesdev.ibm.com>

I'm afraid I chuckled about the line on SMTP, since it seem not core to 
the story or problem. But otherwise, very interesting piece to me, and I 
imagine the report itself is even more interesting. 


Phishing reaches record numbers
Published: 2006-09-11

The Anti-Phishing Working Group (APWG) is reporting a record number of
legitimate "brands" were hijacked in July 2006.

The group is reporting 154 banks, financial companies, electronic
retailers, or other organizations had their brands hijacked through
phishing in July 2006 - a new record. They also report to have found
23,670 total phishing websites used to commit identity theft, fraud and
other malicious activity in July 2006. This number is second only to the
record 28,571 phishing sites found in June 2006, and is nearly double
the 14,135 phishing sites found in July 2005. Of these sites, 14,191 are
considered "new" phishing sites, compared to just 4,564 new sites found
one year prior, in July 2005.

The report (PDF) was released on September 11, and also includes
statistics on the average time online for a phishing site (4.8 days),
the number of phishing sites referenced only by IP address instead of a
domain name (42%), and the country with the largest number of malicious
phishing sites (the United States, with approximately 30% of all
phishing sites).

The report analyzes the rapidly growing trend of phishing as a common
way to steal banking and financial information from uninformed victims.
Most phishing messages are sent by e-mail, a transport protocol known as
SMTP that has changed little since 1982. The phishing e-mails are sent
using spam distribution methods and employ social engineering to
convince a user to visit a fake website and divulge private information.
A number of phishing websites are in fact legitimate servers that were
compromised through software vulnerabilities, exploited by hackers and
covertly turned into illegal phishing sites - making the hackers more
difficult to track.

The Anti-Phishing Working Group focuses on eliminating fraud and
indentity theft associated with e-mail based phishing scams. Its
membership includes over 1,500 organizations, eight of the top ten U.S.
banks, and four of the top five U.S. ISPs.

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Received on Wednesday, 13 September 2006 12:44:49 UTC