Tuesday, November 3, 2009
Posted by: Nadine Evans, AITP Southern District Director
I was reading an article recently, written by A. Martinez-Cabrera of the San Francisco Chronicle, which spoke to the news that emails had been compromised with various web mail providers. Various theories abound on how this happened but Google and Microsoft think the passwords were obtained through phishing schemes. Phishing has become so sophisticated that even FBI Director Mueller admitted he almost fell for an Internet banking scam.
A recent report from the Anti-Phishing Working Group report indicated that it had detected more than 49,000 phishing Web sites in June, the most since 2007 and phishing reports recorded in May were 7 percent higher than last year's worst month.
Experts say social media and Web 2.0 tools are partly behind the recent increase in phishing. It would seem criminals are attacking social-networking sites, banking on the trust users place on their contacts.
In August, Twitter began using a Google application that inspects links embedded in tweets and cross-references them with Google's list of malicious sites. While it has been an important step in increasing Twitter's security, it is still has risks. The security firm Sophos say they have detected tweets with links to safe sites that redirect users to malicious one.
For those doing the scamming, the potential rewards are high. Gaining access to a single account, criminals can find a user's financial records and friends' contact information.
The chief technology officer of the security firm Websense stated that if a criminal obtains the password for someone's Facebook account, there is a good chance the same information can be used to log into an online bank account.
Improved online toolkits have made it even easier for swindlers lacking tech savvy to get into the phishing game according to the Symantec Security Response Team.
Some researchers think the biggest threat will be malicious software that piggybacks onto files, like MS Office docs, Adobe PDFs, QuickTime videos or screen savers which may exploit vulnerabilities in programs not regularly updated.
It would seem another growing area of concern is called spearphishing, in which criminals profile specific users and design customized emails to steal corporate or government secrets.