“Crimeware” on the Rise

According to the Anti-Phishing Working Group, a consorita of security firms, banks and law enforcment agencies, conventional phishing attacks have decreased slightly but marked an increase in crimeware: malicious software designed to steal identity information for financial crime.

In July, APWG researchers also found that phishers are designing systems specifically to neutralize counter-phishing technologies that are being deployed by financial institutions and e-commerce sites.

“The technological contest between phisher and counter-phisher is well and truly underway,” said APWG Chairman David Jevans in a statement. “It is a contest of escalation.”

APWG researchers reported a marked increase in screenscraper technology by phishers, used to counter the graphical keyboard systems that some financial services firms are using to avoid the hazards of keylogging Trojans. When the user mouseclicks a character on the graphical keyboard, the screenscraper takes a snapshot of the screen and sends it to the phishers’ server for inspection. This happened in at least one example intercepted by researchers.

“Crimeware continues to evolve as we have seen the deployment of advanced techniques to steal information,” said Dan Hubbard, senior director of security for Websense, and APWG analyst, in a statement. “These Trojan horses are moving beyond keylogging to now capture screenshots to obtain end-user credentials.”

The APWG reported some 14,135 unique phishing reports in July, down from 15,050 in June. In July 2005, 71 brands were reported as being phished, down from a high of 107 different brands being phished in May 2005.

However, phishers are spreading their nets, and are moving away from some traditional marquee name financial institutions that are perennial targets, and hitting a wider base of smaller financial institutions and ISPS. Financial institutions made up 86% of all phishing targets, down slightly from a recent high of 91%.

The APWG reported that in July, there have been increased numbers of variants and new banking keyloggers. There were some 174 phishing-based Trojans detected in July, up from 154 in June.

The numbers of websites which were hosting these keyloggers rose even more dramatically (almost a 100% increase). The United States and Brazil compromise almost 70% of all the sites that were hosting Trojan keyloggers and used personal hosting websites that are mostly used for online journals, blogs, and personal storage.