Script kiddies and phishing. Those are terms from way back in the day, when the Internet was new and hackers were hobbyists. It’s not and they’re not, and now Apple is the new favorite target of those who would social engineer their way to ill-gotten gains.
The Anti-Phishing Working Group — an international consortium of private and public organizations whose security specialists keep track of these things — says in a report it released last week that efforts to obtain credentials by deception are continuing an upward trend that has lasted years.
The APWG says there were 756 targets recorded from January through June this year, compared with 681 in the last half of last year and 487 back in the second half of 2011.
And for the first time, Apple was the world’s leading phishing target, with 21,951 attacks (17.7% of the global total.) Perennial targets PayPal (17,811 attacks, or 14.4%) and Alibaba’s Taobao.com (16,418 attacks, or 13.2%) were second and third.
Joe Stewart, director of malware research at Atlanta-based Dell SecureWorks, says of the APWG findings, “We are not surprised to see Apple as being the leading phishing target. A lot of young hackers — also called script kiddies — are behind a substantial portion of the phishing traffic as they try to harvest credentials for victims’ iTunes accounts and other Apple products.”
The twice-yearly APWG report says attacks by industry in the first six months show e-commerce as the target 32.4% of the time, followed by banks at 25.7%, social networking and email at 23.1% and money transfer operations at 12.8%. (Apple, of course, is stepping in front of that fraudster firing line, too, with the launch of Apple Pay.)
Social Engineering Still Convincing
There were 756 targets recorded from January through June this year, the APWG says, compared with 681 in the last half of last year and 487 back in the second half of 2011.
Here are some bigger numbers: There were 87,901 phishing domain names, continuing that general upward trend that had seen that at 50,298 in the second half of 2011. Attacks totaled 123,741 in the first half of this year, up from 72,758 in first half of last year and 83,083 in that aforementioned first six months three years ago.
“Yes, unfortunately phishing is still one of the top infection vectors, if not the top infection vector, whereby organizations and consumers are getting infected with malicious software,” says Stewart, whose company provides Internet security services to hundreds of credit unions.
Stewart says hackers trying to steal financial credentials are typically using more convincing email topics such as package delivery notifications, tax payment receipts, IRS notices, financial institution credential verifications and current news topics.
“Phishing continues to be a top threat because it involves the human element and the hackers are getting better and better at social engineering their victims,” he says.
Advice to credit unions include the venerable reminder to members to never click on a link or an attachment within an email. Even if they know the sender, they should check first with that sender to see if it’s legitimate.
“The most effective security awareness programs,” Stewart adds, “continually test employees and provide them with learning reinforcement exercises so as to reduce the risk of employees being socially engineered by cyber criminals.”
The whole APWG report is available here.