According to the folks over at the Anti-Phishing Working Group, these attacks are on the rise. In July 2004 they had almost 2000 attacks reported, almost a third of which were against Citibank. My experience would go much further than that since almost all the phishing emails I see are Citibank ones, including the one I received tonight that prompted this posting.
I have a proposal for dealing with these in a more pro-active way… I think that one way to make these attacks less useful to the criminals behind them would be to flood them with false information. That would make finding the real card details in their data much, much harder. Since most are simple CGI or PHP scripts processing HTTP post forms, it is a simple matter to extract the names of the form fields that they are interested in (username, password, account number, PIN etc) and create a script that generates random responses for usernames pulled from a dictionary of common names. More sophisticated solutions might also verify that the credit card number being submitted is actually a valid number (i.e. it passes the Luhn algorithm validation), or perhaps provide username variations (e.g. adding a numeric suffix to the username).
Finally, an old article at BankersOnline.com talking about a phishing attack that took place on January 25, 2004, seems to go way over the top. The introductory paragraph states that “terrorists leveraging resources in Korea, and posing as United States government representatives, attacked our country in an attempt to undermine the security of our banking systems.” It goes on to say that the “reaction should be immediate neutralization of the threat.”
Update [October 21, 2004]:The BBC is running a story about the sophistication of phishing attacks now, and also some possible techniques that they might employ in the future. Seems that phishing is in the news these days. Let’s hope that the message gets out to as many potential victims as possible.