Sophos: Phishers increase the size of their nets in an attempt to hook wider variety of targets
October 2007 by Sophos
IT security and control firm Sophos hasannounced that there has been a dramatic reduction in the proportion of phishing emails targeted at the customers of PayPal and its parent company eBay. SophosLabs research shows that in September 2007 only 21 percent of phishing emails purported to come from the two well-known companies. A year ago, 85 percent of these bogus messages claimed to be from eBay or PayPal.
A graphic showing the drop in PayPal phishing can be found at:
"In September 2006, almost nine out of ten phishing emails were trying to steal information from unwary eBay/PayPal customers, now it’s more like one in five. That’s an impressive turnaround by anyone’s standards," said Graham Cluley, senior technology consultant at Sophos. "PayPal and eBay users are much less likely to be targeted by virtual muggers, in part due to the efforts the firms have made in educating their customers about what to look out for, and how to protect themselves. The phishers are not turning away from their life of crime, however. They are now turning to a bigger pool of potential victims."
According to Sophos, phishing emails typically point recipients to a bogus website that looks like the real one but is really designed to steal login information such as usernames and passwords. Hackers use the pilfered login details to commit crimes such as identity fraud.
Alongside the reduction in the percentage of phishing emails directed at eBay and PayPal, Sophos experts note that cybercriminals are targeting the users of a wider range of online companies than ever before in their attempt to steal information and finances. Such businesses include smaller credit card unions, online retailers and firms based in other geographic regions.
Earlier this year, PayPal introduced an authentication keyfob which created a dynamic password for customers who wanted to reduce their chances of being phished. Additionally, eBay and PayPal have sections on their websites devoted to raising security awareness, and advising customers on how to protect themselves from fraudulent emails. These pages include expert security advice on what a spoof email is, how to recognise one, questions they would never ask of their customers via email, as well as ways that consumers can help fight the overall problem of phishing.
"PayPal and eBay are two big fish on the internet - but hackers are finding it harder than before to steal from their millions of users because of heightened user awareness, and technology that the firms introduced to help verify if an email communication is legitimate or not," continued Cluley. "This is great news, but internet users should not relax and think the fight is over. Phishers continue to target a wide variety of organisations in their pursuit of easy money."
PayPal and eBay, like Sophos, are members of the Anti-Phishing Working Group (APWG), an organisation dedicated to wiping out internet scams and fraud. The companies have published several tutorials on how to spot phishing emails:
eBay tutorial on spoof emails:
PayPal advice on how to protect yourself from fraudulent emails:
Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.