Analysis: Phishing arrests highlight massive problem

Operation Phish Phry is just the tip of the iceberg

Many phishers use what are known as fast-flux networks to make tracking them down even harder, Jevans added. A fast-flux network allows an attacker to move a counterfeit Web site to new servers in rapid succession. The rogue sites themselves are torn down, sometimes in a matter of hours, often before they are even noticed. And more than 70 per cent of the time, the servers hosting a phishing Web site have themselves been compromised and belong to legitimate companies, Jevans said.

The APWG and others are working with organizations such as ICANN to see whether processes can be developed that allow domain registrars to quickly remove rogue domain names from the Internet. But that is an effort that could take years to materialize.

Chet Wisniewski, senior security advisor at security vendor Sophos, said that while there is a heightened awareness about phishing scams, many people continue to fall victim because of the increasingly sophisticated tactics used.

Tools are available that allow attackers to develop remarkably authentic-looking sites that can fool even the most aware users, he said. And many phishing attacks these days don't even use e-mails to trick users into parting with their credentials. Malware programs such as the QHost Trojan horse are capable of stealing account names and passwords directly from an online session, and can even redirect the browser to a fake Web site -- all without the user's knowledge or participation, he said.

Other techniques to get usernames and passwords involve the use of phone mail, instant messaging and even pop-up screens right in the middle of a banking session.

Contributing to the problem is the continuing failure by many U.S. banks to implement two-factor authentication for controlling access to customer accounts, Wisniewski said. Stronger authentication measures, such as requiring users to enter a one-time token generated password, in addition to their usernames and password would make it all but impossible for attackers to break in using just a customer's login credentials, he said.

"It can be done from the convenience of anybody's home, from [an] Internet cafe from abroad and at all hours," Southwell said. "It can be done to maximum effect by taking advantage of technology to send out millions of e-mails and getting just a few to respond."

"...It is easy to do and hard to get caught," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Jaikumar Vijayan

Jaikumar Vijayan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?