By Will Sturgeon, 3 November 2004 12:28
NEWS A phishing scam has been detected which doesn't even require users to click on a link in order to jeopardise their personal data while banking online. Simply opening the email may be enough.
Although MessageLabs who discovered this new technique, is saying the fairly crude scam is very low risk and not yet seen in Europe, it is a worrying development which users and banks should be aware of.
When the email is opened a script is run which rewrites the host files of targeted machines. The effect of this is the next time they attempt to access legitimate online banking, at one of the targeted banks, the new script, which has been lying in wait for such a moment, redirects the user to a fraudulent website which apes the site their were attempting to legitimately access.
Alex Shipp, senior antivirus technologist at MessageLabs, said: "This script silently modifies the users' machines and creates this vulnerability. The next time the user goes to bank online, that's when it will get them."
So far the company has only intercepted a relatively small number of these new phishing emails in South America where they are targeting three Brazilian banks, but as ever with malicious activity online any success will likely see the scams spread to new territories.
Shipp said this first iteration of such a covert phishing technique will only affect users who have Windows Scripting Host enabled and certain ActiveX controls and he believes the majority of users with up to date patches, or the most recent versions of Outlook, where such features are switched off as standard, will be protected.
But it is the general trend which is causing the most concern.
"Perhaps Brazil was targeted by this first, fairly basic email because the writers knew there were a large number of unpatched PCs there, but the worry is that this could become more advanced," said Shipp, warning that future iterations of such a scam may employ java script or similar means to create such a vulnerability on users' machines.
MessageLabs is currently detecting between 80 and 100 new phishing websites every day.
Comments
There are 3 comments. Join the discussion
1. Brian Burkill
Where would the responsibility lie for this, with the user or with the bank.
One on line Banker (Halifax) declare that if anyone is a victim of fraud, they will be compensated in full.
They do warn against opening any emails which are designed to redirect you to a site. But what do you do when he malicious email gives no such details. You have acted totally innocently.
I think that banks should bear the responsibility for any phishing. That way, any fight carries more clout, with their combined weight against the scammers, as opposed to the individual.
Until I get a declaration of safety on the on line banking web sites, I am not even going to enter my user name, let alone my password.
It may be an idea to subtly change the content of the online banking front pages daily, with a private letter sent to each customer to specifically look for the change. If it is not present, (say a piece of text or something) then assume the worst.
This would at least harasss the phishers when they try to emulate the web sites, as they would have to look and change them daily, or even hourly.
2. Nick Owen (www.wikidsystems.com)
Glad to see that at least one bank is stepping up to protect its customers. Consumers need to switch to banks that offer more security, that would drive more banks to adopt measures to mitigate phishing threats. In my biased opinion, two-factor authentication should be offered by online FIs.
3. anonymous
Perhaps the hosts file system needs to be updated. While it has been in use likely since the earliest days of the internet, the fact that it is a simple flat file opens it to these kinds of attacks. I can't count the number of times I've been dealing with a customer over the phone and they have a virus or spyware/adware that has modified the hosts file.
It won't even be enough to write protect the hosts file because write protection can be change programatically. You can get a number of utilities that will tell you when the hosts file has been modified or possibly even warn you when a program is trying to modify it.