Online phishers these days are casting a much wider net and have become infinitely more much skilled at reeling in access credentials to high-value targets, such as corporate banking systems and VPN networks, according to the latest phishing activity report (PDF format) from the Anti-Phishing Working Group (APWG).
While popular online sites and brands, such as Amazon (NASDAQ: AMZN), eBay (NASDAQ: EBAY) and Facebook are still phishers' playgrounds, tinier prey -- like small credit unions in the Upper Peninsula of Michigan and mom-and-pop bridal boutiques in Louisiana -- are being targeted with surprising alacrity by organized phishing syndicates.
"These small brands are getting hit with the same sophisticated schemes as the big guys," APWG Secretary General Peter Cassidy told InternetNews.com. "[Phishers] are using e-mail and cell phones together to hit targets they've been stalking for months."
The report found that the number of hijacked brands soared to an all-time high of 356 in October, up from the previous record of 341 in August, according to the Cambridge, Mass.-based industry association created to fight identity theft and fraud.
More disturbing to consumers and e-commerce companies, however, is the uptick in phishing attacks focused on high-value targets, such as high-ranking employees in personnel and treasury departments or C-level executives like those targeted in a recent high-profile cyber attack at three of the world's largest oil production and processing companies.
"'Spear-phishing' and 'whale-phishing,' where targeted individuals inside of corporations or of high net worth, appear to be increasing," APWG chairman Dave Jevans said in the report. "These attacks do not contribute significantly to the overall number of unique phishing e-mails that are sent, as they are not using broad-based spam."
Jevans said the trend these days is for phishing syndicates, which APWG and law enforcement agencies estimate at around three dozen worldwide, are customizing their e-mails and text messages to target individual users.
The scam artists are using information found on corporate Web sites, social networking sites, hacked e-mail servers and from other compromised data networks to create dossiers on their targets complete with names of co-workers, friends and projects to construct an e-mail that appears as benign as possible.
"Any person or object seen as having any value is open to attack," Cassidy said.
For every high-profile bust, such as the landmark Operation Phish Phry sting that brought down 100 suspected phishers based in the U.S. and Egypt, security experts estimate that dozens of others go unnoticed or unprosecuted largely due to the complexity of the operations.
"The problem is there's almost no deterrent," Cassidy said. "It takes a long time to go after these guys and it requires a lot of [technical] expertise."
On the bright side, the number of unique phishing reports submitted to the APWG in the fourth quarter fell 29 percent from the all-time high of 40,621 in August to 28,897 reports in December.
However, the number of phony phishing URLs set up by criminals rose from 130.68 per targeted brand in October to 185.50 in December, illustrating how phishers are not only reaching higher up the corporate food chain, but also deeper into the bowels of its online organization.