By Tom Espiner
Thursday, November 30 2006 11:25 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,61970992,00.htm

Phishing attacks are increasing in frequency and sophistication while shifting from larger to smaller financial institutions, according to security vendor RSA.

The vendor has tracked shifts in phishing demographics, and claims they are being driven by a renewed focus on smaller financial institutions. U.S. banks have been building stronger anti-phishing protection, forcing fraudsters to target banks in other countries, according to RSA.

"We're seeing an interesting shift in the global phishing landscape, partly fuelled by guidelines instructing U.S. banking institutions to implement stronger forms of authentication," said Andrew Moloney, head of international marketing for RSA consumer solutions business. "There's been a shift in the global black market to the less protected banks. In the U.K., online banking is not particularly well protected," Moloney claimed.

Bank e-fraud teams are increasingly using behavioural monitoring of both physical and digital systems to judge whether a fraud is being attempted, said Moloney.

More sophisticated attacks result from more sophisticated defences--but, as in the legitimate economy, phishers will vary sophistication, and attack according to the expected return on investment. Man-in-the-middle attacks, which give a hacker the authentication needed to conduct a transaction at the same time as a user is conducting legitimate banking business, are becoming more common, but are still relatively rare as other forms of attack are less technically demanding and potentially more lucrative.

"Real-time man-in-the-middle attacks are not an easy phish--they have to be very well targeted to a specific institution, and bypass regular two-factor authentication. Phishers will move to a different bank if it is less well protected," Moloney added.

RSA also believes that future cyberattacks will combine more attack vectors, and exploit new technology. Vishing attacks, which use automated voice recordings to lure users to fake telephone banking numbers, will become more common, it predicted.

So-called 'cross-channel phishing' will also become more prevalent, RSA said. As telephone banking channels normally operate separately to online banking departments, once hackers have certain details it is possible to phone the bank, change the PAYE code or home address, then use that information to perpetrate online banking fraud, RSA claimed.

RSA also expects to see an increase in identity theft and the use of fake identities to funnel money from real accounts to fake accounts, and a growth of fraud targeting European banks as inter-bank money transfers become faster and more prevalent.

E-mail security vendor MessageLabs has also seen an increase in phishing attacks over the year, and estimates that spam levels will go up because of new spamming techniques. Phishing e-mail messages are often spammed out using botnets--networks of compromised PCs.

Whereas botnets are traditionally controlled from few compromised machines, new techniques can distribute command and control functionalities over an entire botnet. Each individual compromised machine can also be made to distribute more spam, if hackers use a piece of malware such as the SpamThru Trojan. SpamThru downloads a template spam e-mail and a list of hundreds of genuine e-mail messages, along with random phrases to help disguise the junk mail.

This effectively turns the host PC into a spam engine.

"The underlying mechanisms are very sophisticated," said Mark Sunner, chief technical officer of MessageLabs. "The volume of spam that can be sent out increases considerably."

At the moment MessageLabs is only aware of one Russian gang using these techniques, but warned that the volume of spam could surge if the practice becomes more common.

"This is hardly the dominant approach, but if all botnets start to operate in this way [current amounts of spam are] the thin end of the wedge," Sunner told ZDNet UK.