Online crooks target government Web sites for phishy tax refunds

Stealing money through fraudulent tax refunds was the main purpose of phishing activity targeting government Web sites during the month of February.

This was a finding of “The State of Phishing” monthly report compiled by the anti-fraud team at Symantec Security Response.

A computer security research group at Cupertino, Calif.-based Symantec Corp., Symantec Security Response analyzes viruses, blended threats, and other security vulnerabilities.

Most phishing attacks in February – 84 per cent of observed fraud activity – targeted the financial sector (specifically, e-commerce and banking sites), the report said.


The next target was the information services sector at 13 per cent.

However, there was a vital difference in the objective of assaults on each of these sectors.

“Most phishing attacks on the information services sector did not involve stealing user credentials for the purpose of [stealing] money, but probably for carrying out spam activity.”

Around one per cent of the attacks were directed at a bunch of other sectors – such as retail, communications, retail trade, ISP, aviation and entertainment, the Symantec report said..

A piece of good news, though, is the slight drop noted in the number of unique phishing sites – 17,471 such sites were identified,  1.8 per cent lower than the previous month. These sites targeted a total of 227 known brands.

There was a 12.5 per cent month-over-month decease in the number of attacks phishing URLs generated using toolkits.  During the month of February such phishing toolkits generated around 7,847 phishing URLs.

These automated toolkits simplify the creation of phishing Web sites, allowing people without any technical knowledge to launch phishing attacks.

The use of free Web-hosting services to create fraudulent Web sites continues to be a common phishing strategy.

More than 108 Web hosting services were used to host phish pages targeting more than 147 brands in the reporting period.

According to the report, 293 domains – spoofing 51 brands – were used to mounttypo-squatting attacks.  Typo-squatting refers to the practice of registering domain
names  that  are  typo  variations  of  financial  institution  or  other popular Web sites.

Phishers continue to use IP addresses as part of the host name instead of a domain name.

The report said 1,803 attacks used IP addresses instead of domain names in the URL field.

This tactic is used to hide the fake domain name, which would otherwise be easily detected. The fact that many banks use IP addresses in their Web site URLs makes it difficult for customers to distinguish a legit from a fake IP address.

Phishing sites used to launch these attacks were hosted in 62 countries – and among the non-English phishing sites Italian language phish sites were most frequently identified followed by sites in French and German.

Top level domains used with the greatest frequency were .com, net and .org.

However, among the country code top level domains those with Russian, French and German extensions headed the list.

The number of randomized domain names used in phish sites decreased by 1.8 per cent compared to the previous month.

Share on LinkedIn Share with Google+