Phishing attacks grow more insidious

By Sebastian Knoppik Oct 17, 2010, 4:06 GMT

Frankfurt - A phishing attack used to consist of a somewhat unprofessional looking email that criminals hoped unsuspecting persons would open, clearing the way for access to private data. But those days are long gone. Now criminals have gone wholesale online.

That means they have also become more insidious, and rarely by email. But a combination of technical security and sound skepticism should be able to protect anyone from these sneaky attacks and prevent criminals from casting an eye over your bank accounts.

In Germany for example things took a slight turn for the better in 2008, as the sum of money lost to phishing scams fell from 17.4 million to 7 million euros (24.2 million to 9.7 million dollars).

Christian Spahr, a spokesman for the German technology industry association BITKOM, said the change was probably because of greater use of iTANs, a system whereby bank users are asked to input a number randomly chosen from a list supplied to them before they can complete an online banking transaction.

'But, of course, the criminals have geared up and reacted to this additional security measure,' he said.

The good times definitely did not last long. Losses due to phishing rose by 64 per cent to 12 million euros in 2009. There were believed to have been about 2,900 reported phishing cases in Germany that year, reported the German Federal Crime Office (BKA).

This year BITKOM and the BKA expect about 5,000 registered phishing cases, with damages running to about 17 million euros.

And the attacks are growing sleeker. Just a few years ago, scams would often show up in a very clumsy email. Now their attempts are smoother. Often, email account information from a particular person is copied so that recipients think they are receiving a note from a known party.

'If I get an email from the boss, then I react completely differently,' says Norbert Pohlmann, head of the Institute for Internet Security at Germany's Gelsenkirchen Technical College.

But Pohlmann advises some healthy scepticism: 'I can't rely upon the email address.' But special software can help in these cases.

'There are anti-malware programmes that warn about the likelihood that an email is suspicious.' In an emergency, people can simply call up the sender if an email looks suspicious.

But since the word in cyberspace is that one shouldn't just open every email one receives, the email as a method of attack has fallen out of favour with criminals.

'Phishing is no longer focused on emails. It can happen anywhere where the internet is available,' says Pohlmann.

Indeed, most current attacks occur with the help of a so-called Trojan Horse, says Frank W Felzmann, an expert with Germany's Federal Office for Information Security.

'This way, malware is carried over to the user's computer. The programme then turns itself on when the user enters data during online banking. The data is then captured and the cash is instead transferred to the account of the swindler,' he says.

There are a variety of ways to get stuck with these kinds of dangerous programmes. It can be as simple as trying to open an email attachment.

However, even if one ignores all incoming spam mail, the danger is not over. Drive-by downloads can force themselves onto someone's computer while the victim is innocently surfing in an unsecured area.

'Users should be careful about which sites they're hanging out on online,' advises Felzmann. Other important steps include purchasing anti-virus software and routinely updating computer systems.

The safety of online banking also depends upon the degree of security. 'More secure methods than iTAN have appeared in recent years, but they're not offered by every bank,' says Spahr.

Felzmann says the safest way looks to be the Mobile TAN or mTAN.

'With that system, the user gets a text via mobile with a TAN that is only useable for the financial exchange in question, which can only proceed once the TAN is confirmed.' Of course, this only works if people aren't using smartphones, which hackers can access via the internet.

Other ideas for more safety in online banking include a TAN generator. Banks give the gadget to their customers, which only give out a TAN number that can be used for a short time. Numbers are only provided if people also have their bank card handy.

Anyone who is the victim of a phishing attack should immediately block bank accounts and change their password, says Felzmann. 'The banks will then try to get back the money, if the attack is only a few days or hours old.'

Read more about Computers