Phishing and Spam in 2007: ISTR XII

Volume XII of Symantec's Internet Security Threat Reportlooks at a variety of trends that were seen in phishing and spam.Although spammers' and phishers' techniques and targets constantlyvary, one thing remains the same: they're trying to make money – andthey're getting better at it.

Phishing attacks targeting financial services remained the mostpopular target than any other sector, making up 79 percent of uniquebrands phished, and 72 percent of all phishing Web sites. The reasonfor this is obvious: phishers want money, and stealing bank account orcredit card information is one of the quickest ways to make it. Andwith credit cards commonly selling for less than ten dollars on theblack market, and bulk rates offered on credit card sales, the phishersneed a lot of them to turn a profit.

In an attempt to get more bang for their buck, phishers have starteddeveloping other techniques. One such technique is the use of automatedphishing toolkits. These toolkits facilitate the creation of phishingWeb sites. The three main phishing toolkits that were detectedaccounted for 42 percent of phishing sites detected during the period,which is a significant proportion. Additionally, some even send thephishing emails. So rather than spending that extra time fine-tuning abunch of HTML code, the phishers can focus on how to make their scamseven more effective. This type of commercialization has beenincreasingly apparent around malicious code developers, with productsfor sale like MPack, phishing toolkits, and other canned hacks.

Spam, likewise, has remained focused on profitable schemes. The mostcommon type of spam message blocked was spam for commercial goods, suchas the sale of watches, sunglasses, and other brand-name products,which comprised 22 percent of spam messages. Although many potentialcustomers may not realize it, these products are often counterfeit;but, in the hopes of getting a deal too good to be true, people may befooled into buying these anyways, directly giving money to thespammers. Spam that advertised financial services was a close second,making up 21 percent of spam detected. Much of this is comprised ofspam touting stocks, commonly referred to as "pump-and-dump" scams.Users are encouraged to buy cheap stocks, driving the stock price up,then the spammer sells his shares and runs with the money. Yet again,the attackers are looking for a direct revenue stream.

Image-based spam made up, on average, 27 percent of spam messagesblocked during the first six months of 2007. Starting at over 50percent in January, the proportion of image spam fell steadily untilthe end of the period, reaching about 15 percent. Image spam is muchmore difficult to use than traditional spam, taking a great deal moreprogramming experience and computing power to pull off. However, aslong as it was more profitable than traditional spam, it was beingused. As new methods of detection have been developed, and image-basedspam has become easier to block, attackers are likely seeking new andimproved methods to send spam.

Phishing and spam have both evolved and developed over the years,but one thing has remained constant: they are trying to make money. Andthey don't care whose money they take. For more information on this andother topics, please see Volume XII of Symantec's Internet Security Threat Report.