Surprising surge of Phishing on nationwide banks

In the last couple of months the RSA Anti Fraud Command Center witnessed a dramatic increase in the number of nationwide US financial brands attacked by Phishing.

Ever since the good old days of the initial Phishing attacks in 2003-2004, the share of national banks – those that span across the entire US – has been declining, as the major banks implemented effective remedies against Phishing and the public became more aware of attacks where the fraudster posed as a major national bank. The heat moved to smaller targets: regional banks and small credit unions.

2010 started with nationwide banks constituting just 25% of US brands attacked by Phishing; most of the attacked brands (61%) were smaller, regional banks.

But things took a surprise turn in March 2010.

According to the RSA online fraud report from May, nationwide banks – the top financial brands in the US – constituted around 60% of the brands attacked by Phishing. In other words, fraudsters moved their sights to bigger targets.

This isn’t a momentary fluctuation. Year on year, the share of nationwide brands doubled in April while the number of phishing attacks increased 68%.

Talking to one of the major US banks, they confirmed they’ve been hit by a surprising surge of attacks that started around March. Other banks fared even worse: talking to folks in the RSA Anti Fraud Command Center, I discovered that one of the top ten US brands which had only a few attacks in February, had hundreds of attacks in April. And in total there were 30 nationwide brands attacked in April compared to just 13 in February.

Let us use the opportunity to have a quick view of what’s new in Phishing. There are new, interesting targets, such as universities and Carbon emission exchange sites. There are also new attack types such as Chat in the Middle and next-generation Typo-Phishing. Bryan Krebs reported on a new theoretical attack using browser tab manipulation to fool the victim.

As for ‘classic’ Phishing on financial services, many of the attacks these days ask for much more than online banking data. Here’s a typical list of items victims are asked to provide to phishing sites nowadays:

·         Online banking data:

o    User name and password

o    Answers to secret questions asked by the bank

·         Card data:

o    Credit card number

o    ATM PIN

·         Email account data:

o    Email address

o    Email password (!)

·         Identity theft data:

o    Date of Birth

o    Phone number

o    Mother’s maiden name

o    Mother’s middle name

o    Father’s maiden name

o    Father’s middle name

o    Driving license number

o    Social Security number

o    US state where account was opened

As you can see, this is quite a comprehensive list. Father’s maiden name and middle name are relatively new elements.

One thing to note is that today, unlike in previous years, many of the regional banks and credit unions are protected by defenses that render direct Phishing attacks almost useless. So if all banks are more-or-less equally protected in their online channel, maybe it’s time for the fraudsters to move elsewhere. They want to collect as much information as possible in Phishing so they can hit other bank channels (such as the phone channel), utilize more data for identity theft, or spread Trojans by taking over email accounts and social network accounts.

So, what drives this renewed interest in major financial brands? I’ll keep a close look on this recent development and update when new information is available.

*** update June 3 ***

The May stats show the trend continues; 65% of financial brands in the US attacked by Phishing are nationwide banks.