Phishing Without a Lure

Security experts say that a recent phishing attack — typically e-mailed as enticements to bogus sites that endanger users’ systemsand expose their personal information — is limited in scope, but they are concerned that it may be a sign that attackers are toying witha new way of phishing, one that does not require a lure.

E-mail security outfit Message Labs highlighted the attack this week, indicating that a phishing technique designed to capture online banking detailsdid not require users to click on a link, possibly exposing data simply by opening an e-mail.”They’re basically trying out a new technique to see how it works,” Message Labs senior antivirus technologist Alex Shipp told TechNewsWorld. “I wouldexpect if [the technique] is successful, [it] could spreadto the rest of the world.”

Silent Script

Message Labs indicated that at the end of October, ithad intercepted e-mails which, when opened, silentlyran a malicious script that attempts to rewrite thefiles hosted on a victim’s machine.

“This means that the next time the user attempts tolegitimately access online banking, they will beautomatically redirected to a fraudulent Web site,enabling their log-in details to be stolen,” MessageLabs said in a statement.

The security company said it had intercepted onlycopies of e-mails targeting three Brazilian banks, butadded more such attacks can be expected if thetechnique is at all successful.

Growing and Evolving Threat

The phishing attack appeared by most accounts to be acase of a “proof-of-concept” release, showing theworld what attackers are capable of and laying thegroundwork for other attackers to improve theapproach, making it even more dangerous.

The automatic phishing ploy also comes as the issueof malicious sites that snare unwitting users intodivulging data or control becomes an increasinglysignificant threat.

Shipp reported that Message Labs is seeing about 80to 100 phishing sites per day, calling the attacks adanger to both consumers and enterprises.”It is a moving target, making it harder toidentify and defend against,” Shipp said. “As ever, acombination of user education and the necessary levelsof technology-based protection are essential.”

Still Site Dependent

While the victims of the latest phishing technique maynot have to click on a link to be victimized by theeffort to steal information, the attack is similar totraditional phishing scams because it is dependent ona Web site to capture the data.

Shipp and other security experts point to this as amajor mitigating factor in phishing, because as soon aspeople are alerted to a successful phishing attack,the site that is causing it is quickly shut down.

Shipp said thatmost banks have advised their customers to be wary ofe-mail asking for personal details.

Tougher to Handle

Nevertheless, Shipp indicated the lack of a needfor users to click onto a bogus site makes defendingagainst phishing a bigger task.

“This latest technique demonstrates how phishingattacks could become increasingly difficult for endusers and online organizations alike to protectagainst,” he said. “By reducing the need for userintervention, the perpetrators are making it easier todupe users into handing over the contents of theirbank accounts.”

“In this case all [users] have to do is open anapparently innocent e-mail and their bank details couldbe silently sabotaged,” Shipp said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels