COLUMBIA, S.C. — Scalability is a big deal for software users at all kinds of organizations, including in the world of phishing and other online fraud.

A check with a few of the major players in online security for credit unions finds that those who spend their professional lives watching these things are seeing, as one firm puts it, "an explosion in the proliferation of identity theft crimeware worldwide" as the tools get easier to use across broader sets of targets.

"Fraudsters continue to focus on scalability and getting more bang for their buck, whether it be phishing or crimeware," says Jens Henrichsen, product marketing manager for RSA Security, a Massachusetts-based provider of online security solutions and participant in global anti-phishing networks.

Recommended For You

And despite the rapidly increasing threat of crimeware–the "silent killer" that can go undetected for several weeks or months–phishing techniques continue to evolve as well, Henrichsen says.

"Namely, whether it is increased use of phishing-based man-in-the-middle attacks, spear phishing or botnets, these evermore sophisticated tools are enabling fraudsters to launch quicker and easier attacks," the RSA executive says, "and target more institutions."

Credit unions included.

For instance, SecureWorks has seen a sharp increase in cyber-attacks on the more than 500 credit unions whose online presence it monitors. Elizabeth Clarke, the Atlanta company's vice president of corporate communications, says SecureWorks' researchers recorded an average of 2,913 attempts on each of its client credit unions per month from mid-April through the end of September, compared with 1,287 per month the previous six months.

"The number of hackers is definitely increasing as cybercrime becomes more profitable and the ability to get into the business is easier than ever," Clarke says. "To be a successful cyber criminal, one doesn't have to be extremely tech savvy anymore.

"The amount of malware and turnkey attack kits for sale on the Internet is amazing. There are countless underground marketplaces available on the Internet where one can buy plug-and-play malware, making it very easy for one to get into the business and begin attacking attractive targets like credit unions."

Meanwhile, Cyveillance, another major provider of Internet monitoring and threat analysis, says it has seen a leveling in the number of traditional phishing attacks but a sharp rise in attacks that blend malicious software and phishing and use well-known brand names to lure consumers.

In fact, says Todd Bransford, vice president of marketing for Arlington, Va.-based Cyveillance, "the number of malware attacks on the Web now exceeds phishing attacks."

Those attacks include keyloggers, pharming Trojans and screen scrapers that steal credentials for later use. The experts note that most of those are root-based kits, making the infected machines essentially uncleanable without being completely re-imaged. And the fraudsters are quick to come up with new variants each time the anti-virus software catches up with them.

Bransford says credit unions make up 30% of the brands his firm sees come under attack but that size does not necessarily determine who's next.

"It seems that the criminal carrying out these phishing attacks are always testing the waters, so to speak, to find targets that are more susceptible," the Cyveillance marketing chief says. "This has created a cyclical environment where phishers move from one institution to the next and back to previous targets.

"We continue to see phishing attacks plague institutions of all sizes."

So, what's a credit union to do? Well, consider safety in numbers.

Henrichsen at RSA says that credit unions, like any financial institution, need to

be able to identify phishing attacks or crimeware targeting them and their members and have a holistic and tested approach to mitigating such threats in a multi-layered way.

That includes investigating, blocking or taking down fraudulent sites with the help of the major anti-fraud networks, or face unpleasant consequences, he says, adding that consumer education can only go so far.

"We have worked with credit unions that, unfortunately, thought they were prepared for phishing or crimeware attacks and, only through living through it first-hand, came to realize the level of capability and partnerships required to actually mitigate these threats effectively," Henrichsen says.

NOT FOR REPRINT

© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.