Online identity theft threats tripled in the first two months of 2007 as attackers shifted to simpler, more effective tactics, according to Cyveillance.
The risk monitoring company compiled data from its internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200 percent over the December 2006 figure. A single-day spike mid-month came close to 140,000 such sites.
"The traditional phishing technique is being replaced by putting a URL in the email," said Manoj Srivastava, Cyveillance's CTO. "The trend now is to use the browser as the attack vector."
Phishing attacks have shifted from the usual emails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an email message and count on users' gullibility.
"It works," Todd Bransford, vice president of marketing for Cyveillance, said when asked what might be behind the rise. "It's proved to be a highly effective way of taking control of someone's PC."
Malicious sites typically exploit browser vulnerabilities to conduct "drive-by" downloads, installing bot Trojans that let a hacker control the machine or password-stealing keyloggers on compromised systems.
Srivastava speculated that another reason for the rapid rise in malicious sites is, ironically, the effectiveness of anti-phishing software. "The phishing detection business has gotten good - ours included - and [so] it's far easier to detect conventional phishing techniques" than to gauge the potential for harm from a web site.
The quick climb might also be a result of the increasing ease with which identity thefts are crafted. "[Phishing] kits have become common. It's so simple to launch attacks now that there's something of a geometric progression going on with the numbers," said Srivastava. "The economics and risks involved being what they are, more people are learning about identity theft and how to make money from it. This looks like an inflection point."
Cyveillance also uncovered hundreds of thousands of credit and debit card account numbers in its sweeps of IRC channels and server logs of botnet operators. In the first two months of the year, the company's monitors found more than 320,000 credit and debit card numbers, more than 1.4 million potential Social Security numbers and approximately 1.3 million account log-on credentials.
"We're pretty solid on those numbers," said Srivastava. Although the Social Security numbers were not actually verified, he said, they match the nine-digit criteria and the algorithm used to construct the numerical strings.