There are some who think that phishing has gone out of fashion. But according to reports by the Anti-Phishing Working Group (APWG)1, the number of attacks of this kind rose again in 2014 to reach the highest ever levels (a new case every two minutes; almost 250,000 a year in total). In the same year, the number of web domains set up for identity theft also increased by 7%, whilst the total number of domains in the world grew by a slower rate of 3%. Phishing attacks on social networks still have a 125% annual growth.
The real danger for society is that phishing has led to spearphishing or attacks aimed at a person or group within an organization. These attacks increase at a rate of 8% a year and cause average losses of €75,000. They consist of very specific messages, apparently from people we know or colleagues, with topics and contents copied from our normal emails.
The last report published by APWG on phishing trends and activities and cybercrime in general, indicates that during the last quarter of 2014:
– A total of 549 corporations were attacked by phishing, which is up almost 4% from the previous quarter.
– Every three months around 100,000 individual phishing attacks are recorded. There is a certain degree of seasonal variation, as at the start of the year (the post-Christmas crunch, Chinese New Year) there are fewer attacks, and at the end of the year (Christmas campaigns, Black Friday, etc.) more are recorded. This number is still rising, after a drop in 2009. For example, PayPal receives almost 100 attacks a day, and Apple registered the most, with an average of over 120 attacks a day.
– Over 70% of all attacks are on activities related to financial transactions: e-commerce is the main target (32.4%), followed by banks (25.7%) and correspondent banks (12.8%).
– Only 1.7% of the domain names used to steal information have a name similar to that of a well-known commercial brand. So if we look at the URLs that we are going to visit, we could avoid over 98% of attacks.
– Every day, almost 230,000 new forms or varieties of malware are registered on average.
Other sources indicate that just in the USA in 2014, a total of 621 major incidents of this kind occurred, leading to the theft of 77,890,487 user records. The credit and banking sectors reported 24 major incidents in the same year, which compromised 1,172,320 client records.
In Europe, personal data theft is increasing at a rate of 25% a year, according to the ENISA report (ENISA Threat Landscape 2014), and tends to be focused on data that have a financial impact on the victims.
A total of 80% of cyberattacks are made possible by weak passwords.
A total of 29% of security incidents have been related in some way to social networks, with average losses of €20,000 to 80,000 per attack. Scams based on identity theft or theft of contact data or friends from social networks lead to losses of over 10 billion euros, which are also the estimated losses due to what are known as 419 scams.
Cybercrime continues to increase and we continue to fight against it. Coming up is the I Symposium on Electronic Crime Research (eCrime 2015) in Barcelona, organized by the APWG, an organization in which I am chair of the Organizing Committee. At this conference, we will look at how we can face the new challenges of cybercrime at global level, and we will study how the latest research responds to the latest cybercrime techniques.
In the same field, but in the area of dissemination, the book Cibercrimen will be presented in Barcelona today at the Librería HispanoAmericana (Gran Vía 594). In a simple way for any internet user, we will learn how to move through cyberspace without exposing ourselves to cybercrime, through useful self-protection techniques.
We look forward to seeing you there!
PhD. Manuel Medina
Professor at the Universidad Politècnica de Catalunya (UPC), Scientific Coordinator of the European division of APWG (APWG.EU), a member of the advisory council of ISMS Forum Spain (2013), and the founder and director of esCERT-UPC (which is part of inLab FIB UPC).