June 14, 2005
Phishing scams are going local, as online scam artists direct their efforts towards more targeted groups, including local banks and credit unions. Websense Security Labs, which reported the trend, calls it "puddle phishing."
Websense said it has seen a growing number of small credit unions targeted by puddle phishing scams -- more than 30 since the beginning of the year. One of the community banks recently targeted operates with as few as 11 branches.
A puddle phishing attack targeting a credit union that serves employees and staff of the White House was also reported by the Labs.
"In the past, phishers focused on mainstream consumer websites with millions of users, but now the targets are becoming much smaller and more localized," said Dan Hubbard, senior director of security and technology research at Websense.
"By targeting a bank with just a few branches, the number of potential phishing prey is reduced to a much smaller number, sometimes to just a few thousand people. Nonetheless, the fact that we are seeing more and more of the smaller financial outlets being targeted by phishing attacks may indicate that this is a highly profitable scam."
Although the specific size of the financial institution being targeted is a new phenomenon, the phishing method used by the attackers has not changed. The typical phishing email is still delivered as if it were from a legitimate financial institution and contains a message that threaten users' accounts being deactivated, blocked, or restricted in some way if they do not update their personal account information.
End users are instructed to visit a website where they are prompted to enter confidential information such as ATM pins, credit card numbers, Social Security Numbers, and email addresses.
"The attack style and dynamics are very similar on many of these recent puddle phishing attempts, which may mean that there is some tool sharing or a small amount of attackers behind this recent wave," Hubbard said.
According to the Anti-Phishing Working Group's (APWG) Phishing Activity Trends Report for April 2005, the most targeted industry sector for phishing attacks continues to be financial services, from the perspective of total number of unique phishing sites as well as number of companies targeted.
The financial services sector accounted for 84% of all hijacked brands in April. This category includes phishing attacks against community banks and credit unions in addition to well-known institutions with global brands.
Websense recently reported in its 2005 Web@Work "Phishing Trends Survey" that 45% of IT decision-makers surveyed stated that employees within their organization have clicked through URLs embedded within phishing emails. Half (50%) of the IT decision-makers surveyed do not believe that employees can accurately identify phishing sites and 32% of IT decision makers polled report that phishing attacks have caused security problems for their organizations in the past year.
