Brazilian phishing expedition adds to concerns

PUBLISHED : Tuesday, 09 November, 2004, 12:00am
UPDATED : Tuesday, 09 November, 2004, 12:00am

The con snares users as they open e-mail, replacing legitimate Web addresses with links to false sites

The menace that is phishing continues to evolve into more sinister means of extracting bank details and personal information from unsuspecting internet users.

Whereas previous techniques worked by luring users to fake websites via links in spam e-mails, the latest version discovered by MessageLabs last week snares users as soon as they open an offending e-mail.

The e-mails run a script that rewrites the computer's host files, which contain the mapping of IP addresses to host names.

When users subsequently enter the address of a legitimate online bank in their web browsers, they are automatically redirected to a fraudulent website where their bank details can be stolen.

'By reducing the need for user intervention, the perpetrators are making it easier to dupe users into handing over the contents of their bank accounts,' MessageLabs senior anti-virus technologist Alex Shipp said.

'Most banks have advised their customers to be wary of any e-mail asking for personal banking details, but in this case all they have to do is open an apparently innocent e-mail and their bank details could be silently sabotaged.'

The latest scam has so far targeted three Brazilian banks, but Asia-Pacific technical director David Banes warned that it might not take long for the scam to spread worldwide.

'The phishing community is like the virus-writing community - if one person does it, it is not long before the technique spreads,' he said.

'People can easily get hold of the technique and apply it to banks in Australia or Hong Kong.'

Brazil is emerging as a hotspot for internet fraud, with 53 arrests in the past month and up to US$30million stolen from online bank accounts.

Mr Banes said the latest threat probably originated from a local group in the country.

In Hong Kong, a phishing scam believed to have originated in eastern Europe had HSBC staff frantically ringing customers last month to check the legitimacy of online transactions. But MessageLabs said the present scam would be even more difficult for banks to prevent as the process began merely by opening an e-mail.

One way to prevent the attack is to disable Windows Scripting Host, which will prevent the e-mail from running the offending script. But Mr Banes said the solution was far from ideal because many legitimate websites used scripting to enhance content.

'Disabling scripting is a legitimate way to solve the problem but it will not make for a rewarding online experience,' he said.

MessageLabs detects between 80 and 100 phishing websites a day, along with 'tens of thousands' of phishing e-mails.

'Over the past year we've seen lots of innovative ways of conning people into doing what they don't want to do online,' Mr Barnes said.

'They use similar techniques - e-mails, web browser vulnerabilities, they all fall in the same basket.'

The company also warned last week of fraudulent e-mails targeting Yahoo! users that asked them to verify their Yahoo! identity codes.

The e-mails claim to help Yahoo! prevent automated registrations but actually trick users into creating e-mail accounts from which spammers can distribute unsolicited e-mails.

How users are tricked

Users receive an innocent-looking e-mail that contains no reference to online banking in the subject line

Opening the e-mail activates a silent script that rewrites all-important host files on the computer that determine which webpage opens in the browser window

The user types in the address of a real online bank but is redirected automatically to a fraudulent site that resembles the real deal

Still unaware that the browser has taken them to the wrong site, the user tries to log in to their bank account. The hackers now have all the necessary information to go shopping with their savings

All this takes place without the user clicking on any misleading links, and without the user suspecting anything unusual