Blog article
See all stories »

An article relating to this blog post on Finextra:

Phishing attacks surge in 2008

The volume of phishing attacks detected by RSA during 2008 grew by 66% over those observed throughout 2007, with UK and US financial institutions bearing the brunt of the assaults.

See article

Phishing Attacks Rise Dramatically in 2008


Robert Siciliano 

Stupid people get hooked by phishers. You have to be a complete idiot to get sucked into a scam email that has typos making requests that are geared toward naïve simple minded pea brain fools. Right? Yes? No?

So why have phishing attacks risen dramatically in 2008? That’s 66% higher than in 2007.

Have we gotten dumber or are the attackers getting smarter?

RSA concluded that phishing attacks rose to an unprecedented 15,002 in April of 2008. Millions of people in mainly english speaking nations receiving ruse after ruse. 68% of US bank brands attacked. Less than 7% UK brands experiencing less than attacks.

However the UK takes the title for the most exploits as the most phished country in the world equating to 40% of the 135,426 cases detected by RSA.

This seems to be due to the UKs system allowing fraudulent transfers fast enough “real-time” to avoid detection. Criminals like real time fast cash.

Much of the success of phishers is that they are in fact getting smarter using “flax flux” attacks. *Fast flux is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. *Thank you Wikipedia.

Tonight I spent 2 hours on the phone in a webinar with a startup reviewing a fully functional toolbar that makes 54 checks to determine the validity of a website checking for phishing, pharming etc. All any bank needs to do is adopt the technology and require their clients to adopt it in the sign-in process. In most cases problems solved.

And do you know what we labored over in this call? How to get all the banks clients to install a simple toolbar that would protect them and the bank.

Why is this so difficult?

Security professionals are fighting a long brutal battle. The public should chime in.

In the States, law enforcements motto is to "Serve and Protect" They do serve, they infact - protect. And we say "where’s a cop when you need one" because we don’t take immediate responsibility for our plight. But in reality they/we can't be everywhere. 

Scambaiters in video Here




Comments: (8)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 21 February, 2009, 04:00Be the first to give this comment the thumbs up 0 likes

You ask, why is it so difficult to get customers to install a toolbar?

Robert, if your starting premise is that they are "complete idiots", then you have, in one fell swoop, answered your own question, pissed off a whole lot of your targets, and exacerbated the problem.

Yes, those who fall for phishing are not highly computer literate, but why should we expect them to be?  We don't expect all drivers to be automotive engineers, or Niki Lauda.  Any purported solution to phishing that requires average Internet users to install special toolbars is likely to be beyond the capacity of the very people who are falling prey.


Stephen Wilson, Lockstep.


Robert Siciliano
Robert Siciliano - - Boston 21 February, 2009, 04:25Be the first to give this comment the thumbs up 0 likes

The point is made the phishers "are in fact getting smarter"


As a rowdy teen, the only thing that smartened me up was a back hand. A little tough love never hurt anyone.  Exacerbating the problem is failing to inform, remind, and if necessary reprimand the users of their responsibilities to protect themselves. Personal responsibility. Its been 10 years of phishing. It’s getting worse. The public needs a backhand.

And you shouldn’t necessarily know how to engineer a car, but you better know how to drive it safely. ya know?

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 21 February, 2009, 05:36Be the first to give this comment the thumbs up 0 likes


I do not believe it's reasonable to put the onus on users to this extent to protect themselves online.  This is not supposed to be the Wild West anymore; we're talking about making people safe as they go about their business in the digital economy.

The traditional preoccupation with education and training does not serve ordinary people well.  The best advice from governments and banks -- such as and -- runs to a dozen pages or more.  It's simply overwhelming.  And technicians know it's already out of date: keeping an eye out for the SSL padlock for example is not enough anymore given Man-in-the-Middle attacks on the certificate chain. The theft of credit card details en masse from back-end databases means that even when a user diligently follows all the cyber safety advice, they can still have their IDs stolen and replayed in CNP fraud.

As for the idea of 'safe driving' online, well when the equipment is inadequate, relying on education alone, with a dose of tough love, can border on reckless.  As Ralph Nader said, some cars are "unsafe at any speed". 

I don't want to turn people off, nor do I expect people to be protected from stupidity.  My point is that we need more balance in the cyber safety debate, and a greater emphasis on proper security infrastructure is urgently needed, as a matter of public policy.  In particular, it is high time that governments and banking regulators took a greater interest in digital identity technologies, and stopped letting market forces alone cater for consumer protection online.  We don't let the public connect any old bit of kit onto the telephone network, so regulators should be prepared to take a more active role in digital economy infrastructure. 



Robert Siciliano
Robert Siciliano - - Boston 21 February, 2009, 18:30Be the first to give this comment the thumbs up 0 likes

NZ Banks

Robert Siciliano
Robert Siciliano - - Boston 21 February, 2009, 20:39Be the first to give this comment the thumbs up 0 likes

Let me be clear. Law enforcement and security professionals are providing tremendous value. They can only do so much. Even when more security is introduced there will still be another path to exploit.

I speak to law officers who break their humps to protect us, and the public expects more than they or us can provide. Security is a process that requires a coordinated effort among the protectors and the protected. Maybe shaking up the status quo will seed a little inspiration to be security minded.

David Divitt
David Divitt - VocaLink - London 23 February, 2009, 10:16Be the first to give this comment the thumbs up 0 likes

Dont forget, an "attack" is just a criminal setting up a phish site/email and attempting to sucker the public...doesnt mean they are successful!  In my experience phishing success, or at least the average loss per successful attack is falling.

Robert Siciliano
Robert Siciliano - - Boston 23 February, 2009, 12:15Be the first to give this comment the thumbs up 0 likes

There is a tremendous burden on government and industry to protect. And that burden is just. There still needs to be a degree of citizen accountability. 

If consumers are to enjoy the conveniences of technology, they should have a sense on how to use it securely.

I'm not the only loon on the planet holding the publics feet to the fire. In the NZ Banks links above see;

"Banks in New Zealand are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection.

Under the terms of the banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date.

The code, issued by the Bankers' Association now has a new section dealing with Internet banking.

Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have "used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are up-to-date."

I'm moving to NZ... if they'll have me.

A Finextra member
A Finextra member 27 February, 2009, 17:40Be the first to give this comment the thumbs up 0 likes

There are some e-banking anti-fraud systems already available. They build up a customer profile (what OS, browser do you use, what is your network segment, how do you use e-banking, when do you make transaction, what are the transaction amounts, etc), and if you make a new transaction then it is compared to your profile.

So lets say i use my e-banking from Budapest, from the office, daytime, Windows Vista, Firefox 3.0...

If someone wants to make a transfer from China, from a Linux PC, using Chrome during the night, then the anti-fraud system will alert that it is a very suspicious transaction, blocking it or asking for a secondary authentication over the phone.

I think it is a good tool to increase security and can filter 80% of the attacks.

Now hiring