The new attack is an enhanced form of phishing, scams that are defined as attempts to steal credit card data and other sensitive information through social-engineering efforts. Phishing scams typically employ phony e-mail messages that purport to come from banks or popular Web sites such as eBay or PayPal. The messages try to lure recipients into entering account information and passwords into bogus forms hosted on malicious Web sites.
Scammers are now taking phishing to the next level. Instead of relying on victims gullibility, they are using technological tricks borrowed from crackers and virus writers to exploit software vulnerabilities and plant Trojans on compromised computers.
An example of this new approach is an e-mail message that began circulating last week with the purpose of installing a Trojan known as Sepuc. The e-mail has no subject line and no text in the body of the message. When the user opens the message, code hidden in the e-mail attempts to exploit a known vulnerability in Microsoft Corp.s Internet Explorer to force a download from a remote machine.
This file, in turn, downloads several other pieces of code and eventually installs a Trojan capable of harvesting data from the PC and sending it to a remote machine, experts say. The most worrisome aspect of this attack is that, unlike previous scams, victims would likely have no idea that they had done anything wrong.
"If it works successfully, its just a blank e-mail, and you dont see anything else. Its a whole new trend for this stuff," said Bill Franklin, president of Zero Spam Network Corp., in Miami. Franklin has been tracking the new attacks since receiving and thwarting such malicious missives last week. "Having your account information compromised and not knowing it is the scary part. This is the best thing Ive ever seen like this," he said.
Phishing is a relatively recent phenomenon, having popped up within the past year. But it is becoming more popular with online criminals. In September, MessageLabs Inc., a New York-based e-mail security company, saw 279 phishing-related e-mail messages. By March, that number had jumped to 215,643. Likewise, the Anti-Phishing Working Group, a volunteer consortium that monitors online scams, reported last week that it tracked 402 unique phishing scams in March, an increase of 43 percent from February.
Most typical phishing e-mail messages are poorly constructed and rife with misspelled words and, as such, are easily identifiable as fakes. But the Sepuc attack and a more sophisticated new version of the eBay scam, which also exploits an IE flaw to install a keystroke logger on compromised PCs to steal user names and passwords, dont immediately strike recipients as malicious.
The increasing sophistication of the new attacks is not just the result of criminals getting better at their craft; theyre also starting to cooperate with crackers and virus writers to swap ideas and methods.
"These worlds are starting to collide. The code behind these newer attacks is very polished and, in some cases, even has comments in it," said Dan Maier, a member of the Anti-Phishing Working Group, in Redwood City, Calif. "Theyre sharing code with crackers, using spamming techniques. Its a scary combination."
Maier said he has also seen attacks recently in which users who click on a link to a fraudulent Web site are redirected through several sites, some of which attempt to load Trojans or back doors onto the users machines. So, even if the user is smart enough not to enter any personal information into the Web form, his or her data still could be at risk, said Maier, who also serves as director of product marketing at Tumbleweed Communications Corp., a secure e-mail provider also in Redwood City.
This fact is not lost on federal law enforcement officials, who have made identity theft and phishing high priorities and are investigating the new breed of attacks, sources say. The attacks also have gotten the attention of banks and other financial institutions that end up dealing with the aftereffects of the fraud that results from these scams.
"Their concern is more for their reputations than the actual financial losses. Theyre dealing with peoples trust here," said Eli Katz, director of the active risk monitoring practice for Unisys Corp., based in Blue Bell, Pa. "These organizations are walking a fine line with phishing. They want people to be aware, but they dont want them to be so paranoid that they stop doing business with them.
"The same concept used here could be used to fake any authority, like a companys HR department," Katz said. "You could do a lot of damage with something like that."
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: