BEDFORD, Mass. -- Credit unions again took the dubious honor of being the favorite target of phishers and pharmers attempting to gain access to member accounts through e-mails and Web sites.
That's according to RSA Security, which said that credit unions accounted for 45% of the American financial institutions the company's Anti-Fraud Command Center said were attacked by fraudsters in December.
Nationwide banks, meanwhile, fell to 26% of the targeted attacks by brand in December, down from 44% the month before. Regional banks accounted for 29% of the attacks, up from 22% in November, RSA Security said.
Overall, the company said in its monthly report, "the number of attacked brands increased dramatically during December (from 159 to 186.) However, the figure is still much lower than that seen in December 2006. In December 2007, the RSA Anti-Fraud Command Center did detect attacks against 20 financial institutions it had not seen attacked before."
The AFCC detects, monitors, tracks and shuts down phishing, pharming and Trojan attacks for more than 250 organizations worldwide, and has recorded more than 60,000 site takedowns, the company said. It also participates in global anti-cyberfraud networks.
RSA Security, whose client base includes financial institutions and other e-commerce entities serving millions of end users, attributes the sharp rise in December phishing attacks to the Rock Phish group, which has been active for months and by some accounts is responsible for half the phishing attacks worldwide. The report also notes the emergence of other groups using similar methods.
"These attacks show some similarities to Rock Phish attacks but are hosted on completely different networks and do not demonstrate any known Rock signatures," RSA Security said in the report.
"Their magnitude and impact are far lower than Rock's, but they do exemplify some advanced phishing techniques and show that other groups are starting to adopt some of the Rock Phish methodologies," the company said.
Proxy servers that deliver the phishing content without direct communication between the victims and the actual phishing site are one similarity, RSA Security said.
The company said it has been successful in tracing at least one of the "mother ship" servers used by the new phishing groups to receive stolen personal data from the proxy servers.
"Phishing content against several institutions was hosted on this server and was delivered to the victims via the proxy servers," RSA Security said. "Information regarding this server was shared with law enforcement."
The proxy attacks are harder to shut down at the Internet server provider level, because the IP addresses change and the host server cannot be determined.
The RSA Security command center instead takes down those domains at the registrar level.
"De-listing the domains ensures that the attacks are taken down regardless of the servers on which they are physically hosted," the company said.