Identity theft, phishing and Trojan attacks are on the rise, and virtual worlds are being targeted by fraudsters, said a global online security firm.

UK is a popular target because it was the pioneer for fast online payments, and consumers are used to easy and instant payment transfers, said Uriel Maimon, senior research scientist, RSA consumer solutions.

Financial firms continue to face new and emerging threats, and are challenges to increase confidence in the online medium, mitigate against risk and keep fraud loss low.

New scams are also emerging in virtual worlds, such as Second Life, according to Maimon. He said there are two common ways that attackers are targeting virtual worlds. Firstly, end users tend to use the same password for their virtual world as they do for their online bank account, so attackers try to uncover this through phishing attacks.

Secondly, they can try to transfer virtual money into real money. One elaborate method of doing this involves establishing an online power game against themselves, playing until they've 'lost' all the virtual money, then cashing this out in real money.

Online crime has become a mass market, and phishing attacks are increasing because it is a "statistics game". Each attack is cheap to execute, sometimes as low as $1 or $2, and each attack can live for around 100 hours.

"It's a funnel effect. In a phishing attack you can send out more than 500,000 emails. Of those, maybe only 300,000 are real email addresses, and then another 100,000 get past the anti-spam software, and maybe about 1,000 users click through the link, and perhaps the attack leads to only 50 compromised identities trickling through, garnering about £500 on average per identity," he said. As the attack is so cheap to execute, these types of attacks will still occur.

The second most common type of attack is the malicious Trojan through a compromised website. Maimon said this attack is growing in both popularity and sophistication, as the end user is usually unaware their computer is being infected.

Although Trojans have been around for more than 20 years, this type of attack has mushroomed in popularity over the last three years as it no longer requires a user to open an attachment, and it can reap more rewards for the cyber criminals.

Instead, a user's PC can be compromised if they visit a site that has been hacked, even if the site owner and the user are unaware.

Maimon cited the example of the Russian Trojan called Gozi, considered the biggest ever online heist, which impacted banks around the world.

"The desktop is a lost cause," said Maimon. While people can counter phishing attacks through anti-spam software and educating users, malware has grown so sophisticated that the desktop is too difficult to protect.
Maimon said Trojan attacks are far more scalable, and are often run by criminal gangs and the mafia, as it requires high amounts of infrastructure, broadband and hosting.

In the UK, one of the most prevalent scam is the "wire scam". An example would be someone offers to give a victim an advance on a lottery prize sweepstakes they have won, but the victim needs to wire money to a foreign bank account.

These victims, dubbed "mules" by online crime watchers, are unaware they are committing a crime, said Maimon. He added the irony of this scam is that, under UK law, the "mule" could face a harsher penalty than the fraudster, because the person wiring money is committing money laundering.

Maimon said that there is still a suspension of disbelief when consumers go online. "When you are travelling in the real world, you know to avoid certain neighbourhoods, or that if you travel to a red light district, there is more of a chance that you could get mugged or robbed. People don't apply this common sense and healthy scepticism in the online world."

"If it sounds too good to be true, it probably is," he said.

RSA, the security division of EMC, has been working with law enforcement agencies and financial institutions around the world to identify and help mitigate security threats.

In its May online fraud report, the security firm said online fraud is evolving and fraudsters have new tools at their disposal.

The RSA's Anti-Fraud Command Center (AFCC), which detects, tracks and shuts down phishing and Trojan attacks against close to 200 institutions worldwide, is a key source for emerging online scam trends. The US financial brands make up 71 percent of all entities being phished, and UK institutions remain in the number two spot, with 9 percent of the phished entities.