Online phishing uses new bait

A new phishing attack is being used to hook unwary web users, the Anti-Phishing Working Group (APWG) has warned.

When a phishing victim clicks on a link in an email pretending to come from their bank or another company, they are sent to a fake website which will then try to steal bank account details or other information.

The APWG said this new method does not make use of the Internet Explorer flaw used in previous attacks, but extends a similar visual effect to multiple browser platforms.

The new trick uses software that detects the user's browser and applies custom JavaScript to replace the look and feel of the web address bar with an appropriately designed working fake, to fool people into thinking they are visiting a legitimate site.

"When a user clicks the link in the email they have no way of knowing they've been taken to a fake site," an APWG spokesman told vnunet.com.

"If you were to type in a new web address in the fake address bar, it will load the new requested page."

The second issue with a fake address bar is the possibility for a 'man in the middle' attack, where every subsequent website visited, and any passwords or credit card numbers entered, could be sent to the phisher until the browser window is closed.

"We've seen about 30 unique attacks using this basic source code since 25 February 2004," said the APWG spokesman.

"This is the first evolution that is programmed to automatically detect the browser type and selectively replace the address bar with a look and feel that matches, and functions.

"This variation was first seen on 31 March and, as yet, we haven't seen it repeated. But we expect this won't be the last."

The spokesman added that phishing seems to be following the same pattern as viruses and worms, where one group develops the original version and others re-purpose successful code and enhance it further.

Phishing attacks are increasing in frequency and sophistication. February recorded the busiest month with 282 email attacks, a 60 per cent rise on January's record total, according to the APWG.

And the group warned: "Even veteran users are having a really hard time telling real from fake without diving into the source code of a message or web page.

"Consumer education will only work to a point - and that point is diminishing."

See also:

Gartner warns banks on spyware fraud

Stronger access controls urged for online accounts as spyware blamed for rise in theft  16 Jun 2004

Warning issued on new IE flaws

Safety experts advise switching browsers as three 'Zero Day' flaws hit Microsoft  14 Jun 2004

Internet credit cards: Plastic fantastic?

A new generation of 'internet' credit cards claim to be able to offer exclusive benefits to online shoppers. But just how good are they? We investigate.  09 Jun 2004

NHTCU wipes Smile off phisher's face

Hi-Tech Crime Unit arrests Lancashire man over alleged phishing attack on internet bank users  29 Apr 2004

Bugwatch: The future of phishing

New tactics are needed in the fight against ever-evolving phishing scams  29 Apr 2004

Phishers using smarter hooks

Fraud attempts grow with Trojans, keystroke loggers and stolen screenshots  20 Apr 2004

Bugwatch: Foiling phishers

Formulating an effective anti-phishing strategy is vital  07 Apr 2004

Phishing still on the increase

Finance, retail and ISP customers primary targets of attacks  17 Mar 2004

Fraud and phishing attacks soar

Action group issues warning as incidents rise 52 per cent from December to January  18 Feb 2004

Barclays is the latest caught by 'phishing'

Microsoft still not released patch for IE  14 Jan 2004

Bugwatch: In cyberspace, nobody knows you're a phish

The latest social engineering scam uses phoney websites to lure unsuspecting users into divulging personal information  12 Nov 2003

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!