The Anti-Phishing Working Group (APWG) published its Phishing Activity Trends Report for December 2005. According to data gathered by the group, over 7,197 new phishing sites were created in December 2005 and the group recorded 15,244 unique phishing attacks.
The number of new sites in December is a significant increase considering that in November 2005 the group tracked 4,630 new phishing sites. Interesting enough, while the number of new sites created in November was dramatically lower than in December, the number of phishing attacks in December soared to 16,822. By way of comparison, November saw 1,578 fewer attacks.
Was the huge increase of new phishing sites due to the holiday season? Possibly, however the largest target of phishing attacks is still the financial services sector, accounting for 89.3% of the recorded attacks, and the attacks becoming more sophisticated.
Earlier this month The Washington Post reported what the writer called "one of the best phishing attacks I've ever seen." The attack was originally brought to light by the folks at SANS Internet Storm Center. The report describes how the attackers targeted customers of Utah-based Mountain America credit union by touting the "Verified by Visa" program as part of the bait while presenting the reader with the first five digits of legitimate credit cards issued by that financial institution.
But, taking things a huge step further, the phishing Web site also had a SSL certificate issue by Equifax. Somehow the automated system used by Equifax to issue such certificates was flawed and that flaw was exploited by the attackers to obtain a certificate that appeared to belong to Mountain America. With a seemingly legitimate SSL certificate in place Mountain America customers would of course be more easily fooled by the scam.
Other more common types of phishing scams are still underway. A spokesperson for APWG said that they discovered "numerous Web sites" that exploited the recent Windows Metafile (WMF) vulnerabilities. Some phishing Web sites installed malware onto unsuspecting people's computers and then showed a dialog that claimed the computer was infected. The dialog requested that a person enter credit card information in order to pay for removal of the alleged spyware.
Other WMF exploits installed Trojan horses, "bot" software, keystroke loggers, and traffic redirectors that change the system's HOSTS file or modify its DNS settings to use fraudulent DNS servers.
MarkMonitor, PandaLabs, and Websense Security Labs contributed to the APWG's December 2005 report data. The full report is available in PDF format at the APWG Web site.