Internet Security Systems - AlertCon(TM)

Phishing Tsunami Passes

Posted by Gunter Ollmann on October 01, 2007 at 6:46 PM EDT.

A couple of weeks ago you may remember that I commented upon the massive increase in phishing attacks that appeared to have been generated by a new generation of phishing-kit, and said that X-Force were going to monitor the situation.

Well, they have been, and I was silently pleased that the phishing statistics for last week finally showed an end(?) to the onslaught against Citizens Bank.

For the week ending 17th September, the Kassel-based X-Force team had identified 450,000 plus phishing hosts.  Then, in the following week, they identified an additional 490,000 plus new phishing hosts – all using now-standard phishing-kit deployment and hosting strategies.  As of this morning statistics, last week we were down to a mere 21,000 brand new phishing hosts – a figure that has pretty much become a weekly base-line number for most of the year.

The Phishers are still predominantly targeting Citizens Bank customers – making up around 80 percent of last weeks new attacks – but obviously down from the 95-98 percent mark of the previous couple of weeks.  This dominance may just be an artifact of the weekly sampling size – meaning that perhaps Citizens Bank customers were targeted 98 percent of the time for the first day of last week, and everything has been near silent since then.  I could probably find out, but I don’t think it really matters at this point.

I’m hoping that things are “back to normal” in the phishing-kit world and another major attack isn’t in the works, but I doubt that very much.  I think we’ve just been given a taste of this new generation of phishing-kit and the Phishers are right this very minute refining their engines.

The alternatives are that the inventors of this particular phishing-kit were just presenting their new improved engine to future customers for their phishing-kit – i.e. showing how much better it is against those “old” phishing-kits – Or perhaps they were so successful during those two weeks that they now need to take the time to process all those identities they managed to phish? 

Personally, I think the former is more likely that the later, but you never know…

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.