Phishers hit large Internet firms more than banks, among study findings

Malware getting stealthier; increased phishing; and that large numbers of malevolent IP addresses are U.S.-based, are among the findings in Webroot’s annual briefing, recently released.

Open bank vault with gold coins spilling out
Credit: Thinkstock

Google, Apple and Facebook were targeted by double the number of phishing sites as financial institutions, like banks and PayPal were in 2015, Webroot says in its latest annual briefing published in February.

The reason for the dot-com thrust is so that the hackers can accumulate larger numbers of user IDs and passwords—many people on those sites use the same credentials across the Internet, Webroot explains. Attacking the Facebooks et al, garners “multiple compromised accounts with each phishing victim,” the security outfit says.

And indeed more Webroot users are coming across zero-day phishing sites. Half of Webroot users had “a first contact” with one in 2015, compared to about a third (30%) in 2014. Zero-day phishing attacks can steal personally Identifiable Information (PII). 

U.S credit card numbers with date of birth run $15 on the black market, I discovered last year.

Zero-day phishing often involves what’s called “spear phishing” where malware is deployed onto computers through links in e-mails that send users to malware-loaded web servers.

The term “Zero-day” refers to vulnerabilities in hardware or software where there isn’t any prior knowledge of the deficiency, and therefore “no vendor fix or software patch available for it,” Webroot competitor FireEye explains on its website. A zero-day exploit used in 2015, for example, included Adobe Flash Player, FireEye recounts on its site. The threat in that case consisted of e-mails embedded with links to web servers containing a malicious Adobe Flash Player file.

Webroot says its data shows “zero-day phishing attacks are becoming the hacker’s choice for stealing identities.” Phishing is hard for users to spot. A study I wrote about last year found that users don’t spend enough time looking for the scam.

Malware is morphing more to evade detection too, says Webroot also in the briefing (PDF).

Despite being based on common code, malware writers are aggressively altering parts of it to make the harmful applications harder to spot by signature-based detection methods, it says.

By changing binaries in a certain way, executables can appear to be unique, and thus not show-up in detection. This hiding, called polymorphism, is “overwhelmingly” how the iffy files are getting delivered—the traditional anti-virus software can’t spot them, Webroot says.

Webroot’s anti-malware solution doesn’t rely on signature-detection it’s keen to explain, and instead uses Internet scanning to gather data on threats, among other things. It says its solution is better than traditional methods.

Additionally, that huge numbers of malicious IP addresses are being created daily, is among other findings in the briefing. A hundred-thousand dodgy IP addresses per day in 2015 is Webroot’s number. That’s up from about 85,000-a-day in 2014. The security company says that means cyber crooks aren’t relying on previously-used addresses—the new ones help concealment.

And interestingly, it’s the U.S. that hosts almost half (40%) of malign IP addresses, the security vendor says. That’s despite the general sense we have that most things cybercrime-oriented originate overseas. Malicious URLs are also “largely hosted” in the U.S., with 30% of them U.S.-based, Webroot says.

“More malware, malicious IPs, websites, and mobile apps were discovered in 2015 than in any previous year,” says Hal Lonas, chief technology officer at Webroot, in the report.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10