This year's rampage of phishing scams is "just the tip of the iceberg," according to a message security firm's analysis of 2004 and its predictions for 2005, both released Monday.

The boom in phishing attacks -- spam that masquerades as messages from legitimate companies that tries to dupe users into divulging confidential information, such as bank or credit card account numbers -- has been phenomenal. MessageLabs tracked a mere 279 phishing e-mails in September 2003, but a year later, monitored over two million in the same month. During November 2004, MessageLabs tallied a whopping 4.52 million phishing-related messages.

And if you think that's bad, wait until next year, said Natasha Staley, an information security analyst with U.K.-based MessageLabs. "Phishing is really only 12 to 18 months old. It's not even in its prime."

Phishers, who are believed to be composed primarily of organized criminal gangs, many of them based in central and eastern Europe, including the republics of the former Soviet Union, are quickly refining their techniques, added Staley, to make their bogus messages even more enticing or effective.

"In anything with returns like these, it pays to be even more successful," she said. "And that means that phishing will only continue, and grow in sophistication."

Among the evidence that phishers are stepping up their tactics and applying even more effective technologies, she said, are 2004 scams that didn't require user intervention. Users who only opened a malicious e-mail had their systems modified so that the next time they surfed to their bank's online site, the browser was redirected to a fake address where their login information was captured and invisibly sent to the attacker. The hacker could then empty the account at will.

According to MessageLabs' statistics, the number of phishing attacks really didn't take off until July 2004, when the number of scam-style messages nearly jumped ten-fold from the previous month.

Next year will also see a leap in the number of scams targeted at specific organizations and companies, Staley said. "Blackmail and extortion will be even more popular next year," she predicted. Already, MessageLabs has proof of blackmail-like schemes where criminals have threatened to send out child pornography under the name of a particular firm, or have promised -- and delivered -- denial-of-service attacks on online gambling sites if victims don't pay "protection" fees.

MessageLabs sees the changes as evidence of a shift from the shotgun approaches of traditional phishing to customized attacks created to leverage actual or perceived weaknesses of businesses.

"We'll see more of that in 2005," said Staley. "The reason? There's potentially even higher returns if they go after specific companies rather than mail millions of messages to consumers."

Virus-laden messages also increased in 2004, MessageLabs reported, to the point where the year's average was one infected message in every 16, a doubling of 2003's ratio of 1 in 33. In 2002, only 1 in every 212 messages contained malicious code.

Spam, on the other hand, looks like it may have peaked as a percentage of all messages. But not for the right reasons. "Frankly, there's not much farther spam could go," said Staley, who noted that in July, 94.5 percent of all mail that MessageLabs processed was tagged as spam. Spam accounted for "only" 73.8 percent of all mail in November, but that was still higher than the 63 percent of the year's beginning.

"Spam will stay at around 60 to 80 percent of mail in 2005," Staley predicted.

"But while the volume of straight spam will continue to outnumber phishing, it's the latter that has the most potential for racking up losses," said Staley.

"It's the most sinister threat out there."

You can view the original article here...
http://www.techweb.com/wire/security/54800599