Newest Phishing Scam Employs Legitimate Web Sites

Phishers are beginning to bait the hook by directing marks to a legitimate institution's Web page that describes password security.

Increasingly sophisticated phishing attacks are chipping away at the reliability of e-mail and Web-based applications as a trusted form of communication for business transactions. And the Anti-Phishing Working Groups latest report doesnt hold much comfort.

The APWGs latest monthly report, issued last week, indicates that the Citibank brand was again the No. 1 target for fraudulent e-mail-based scams. There were nearly 1,200 unique phishing attacks reported to the APWG in May, which is 6 percent more than in April.

Lawmakers and vendors are cracking down on phishing. Click here to read the story. When I talked with APWG spokesperson Dan Maier, I learned about an emerging phishing technique thats not in the report but worth describing for enterprises as well as Internet users.

Phishers are beginning to bait the hook by directing marks to a legitimate institutions Web page that describes password security. A week later, the phisher sends the potential victim a "follow up" e-mail strongly encouraging the victim to create a new password using the guidelines that were pointed out the week before.

Its just one more step in the social engineering of a scam designed to rip off even fairly well-trained Internet users.

Until there is a reliable, authenticated method of communication for business, Ill continue to deep-six unexpected messages that are supposedly from financial institutions I use.

Fortunately, Ziff Davis perimeter anti-spam filter, combined with my desktop anti-spam client, is still keeping my in-box phish-free.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page