The Anti-Phishing Working Group (APWG) is reporting a 178 percent jump from March to April in the number of reported phishing scams, with 1,100 unique such campaigns reported for last month, compared to 402 reported for March.
This followed a reported 43 percent jump between February and March, with the phish biting hardest on financial services and retail companies. In April, Citibank was targeted by 475 such campaigns. Online auction kings eBay, who the APWG said were the number-one phish target in March, got nailed in April at 221, with online payment service PayPal hit by 135 such attacks, according to APWG spokesperson Dan Maier, who also serves as Tumbleweed product marketing director.
"Based on what [Tumbleweed] has been hearing in the last three or four weeks from our banking customers, there's an increasing urgency to solve the phishing problem," Maier told IDG News Service. "What's driving it, if you look at the [APWG] statistics for April, is that these companies are getting nailed."
Phishing involves spoofers making spam to resemble official company Web pages or e-mails and trying to trick unsuspecting recipients into giving up sensitive personal and financial information. And it isn't just isolated spam scammers anymore, Maier said – he thinks the surge in the problem might indicate malicious hacking groups and even organized crime involvement, saying there is growing evidence that phish pages are being swapped the same way spammers sell and trade e-mail lists.
"We've had confirmation from law enforcement in the U.S. that organized crime is behind some of these scams," he told IDG. "We also do work looking at hacker sites, and we can see that hackers and script kiddies are definitely paying attention to this phenomenon and are beginning to work together."
Other popular phish targets this year have included Fleet Bank, Barclays Bank, America Online, Westpac, Visa, Bank One, EarthLink, Microsoft, Yahoo!, and AT&T.
This doesn't mean the phish always get away. A federal judge in Texas slapped a Houston phish, Zachary Hill, to 46 months in the pen May 19, for a scam in which Hill used e-mail resembling materials from America Online and PayPal to trick recipients into turning over 473 credit card numbers, telling them their accounts lapsed and their numbers were needed to restart them. He used those numbers to run up a tab of about $47,000 in goods and services, authorities said.
"I think phishing is one of the most serious and offensive of the frauds we see out there in the spam world," said Howard Beales, who directs the Bureau of Consumer Protection for the Federal Trade Commission, which worked with the Justice Department to reel in Hill. "This is outright theft. I think this should send a strong message to people who want to steal from consumers that they can do some serious time for it."
