Industry struggles to tackle phishing

Phishing websites detected in January soared to nearly 9,000

The number of phishing websites detected in January soared to nearly 9,000 setting a new monthly record, according to figures from the Anti-Phishing Working Group.

David Jevans, the organisation's chief executive, said during a session at the RSA Conference in San José that the previous record was 7,197 set in December 2005.

Phishing scams attempt to trick unwary surfers into divulging sensitive and confidential information to bogus websites designed to appear as bona fide businesses such as internet banking sites.

The latest development is the rise of corporate phishing, where attackers aim to steal confidential information or gain access to corporate networks. Attackers often use instant messaging to contact their victims, as many businesses use such networks internally.

Panellists in a conference session about phishing attacks painted a grim picture of the industry's chances of beating the phishers.

"At some point or another, statistically speaking, you will fall for these attacks. They are getting that good," said Bob Lord, senior engineering director for identity management products at Red Hat.

"We know that there is a certain amount of user education that we can go through that will work. But there also is an upper bound.

"It doesn't matter how many memos come out within an organisation telling users to never trust these things, we know that people will fall for them across the board."

Security initiatives are attempting to block phishing attacks at several points. One way is blocking emails that solicit users to go to a phishing website where they are asked to leave their information.

But few spam filters will catch an email sent from a domain that is made to look like that of a bank, as they do not typically look like spam emails.