Security vendors are warning of a new type of phishing scam with a longer potential lifespan than the typical attack.
RSA Security Inc. of Bedford, Mass., said Wednesday that it spotted two attacks in recent weeks that used a redirection server to forward victims to one of a number of fake sites.
Phishing attacks try to lure people to fake Web sites, where they are asked to reveal personal information that can be used for identity theft.
Setting up multiple sites can complicate the efforts of banks and security vendors to stop an attack.
"Instead of whack-a-mole, you're whacking armies of moles," said Peter Cassidy, the secretary general of the Anti-Phishing Working Group, a trade group that monitors phishing trends.
"A redirect attack is another level of sophistication, higher than a regular phishing attack," he said.
The group has found that the average phishing site stays up for 5.3 days before banks and security firms can take it down.
Naftali Bennett, a senior vice president at RSA's Cyota Consumer Solutions unit, said that the two recent attacks, which his company is calling redirection attacks, used about five fake Web sites each. The servers frequently check each site to determine which are still active, and which have been taken down.
"As long as one of those five Web sites is still live, the entire population will be redirected to that sole, survivor Web site," he said.
RSA can find, and shut down, a typical phishing site in about four to five hours, but he said it takes about 12 hours to find all the systems involved in a redirect attack and bring them down.
That's partly because many anti-phishing efforts are triggered when victims send banks the address of a fake site, he said; in a redirect attack, sending the address alone would not let banks find the main redirect server or other fake sites. The server's location can be determined only from the e-mail messages that lure people to the fake sites, Mr. Bennett said.
Ariana-Michele Moore, an analyst at Celent Communications LLC in Boston, said, "The longer a phishing site is operational, the more damage it causes."
In a report published last month, the Anti-Phishing Working Group said the number of phishing sites reported in December rose 37% from November, to 7,197, by far the largest monthly total for last year. The second-largest was the 5,259 reported in August.
The group also found that financial companies are still the most likely targets of phishers; 89% of the attacks reported in December imitated financial companies.
Dave Jevans, the group's chairman, said phishers have used redirection techniques in the past to hide their tracks, by bouncing people from one server to another before sending them to the machine hosting the phishing site.
Mr. Cassidy said he has heard about redirect attacks in the past year, but the attacks spotted by RSA may indicate a growing type of threat.
Mr. Bennett said redirect attacks have gone from theory to reality in recent weeks. "There's always a lot of talk about potential things that may happen," but "this is the first time we've seen it."
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., unit of MasterCard International, said criminals may have used redirect attacks in the past, but there has likely been "an uptick" in recent weeks as phishers have changed their methods to make their attacks more effective.
"Phishing's not going to go away, no matter how much we try," he said. "Customers are going to continue to be tricked."
