More phishing attacks than infected emails

Phishing attacks have outstripped the number of emails infected with viruses and Trojans for the first time, according to security experts.

In January 2007, one in 93.3 (1.07 per cent) emails comprised some form of phishing attack, according to security mail services vendor MessageLabs. There were fewer emails infected with viruses: one in 119.9 emails, or 0.83 per cent.

The difference in the ratio of phishing to virus attacks is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. This includes the recent Storm Worm and Warezov attacks, according to MessageLabs.

Mark Sunner, chief technology officer at MessageLabs, said: "If you look at infected email traffic for January, it's very spiky. With Storm Worm there are clear spikes, then drops down to normal levels. It's as though someone is turning on the tap briefly, then letting it abate."

Phishing attacks have become more sophisticated, according to MessageLabs. As online merchants and banks have shifted towards two-factor authentication, there has been a rise in "man-in-the-middle" phishing sites, although such attacks are still quite rare.

One particular form of man-in-the-middle attack tries to circumvent two-factor authentication by effectively hijacking a user session. Users are duped into visiting a spoofed portal, hosted on a compromised machine. Information entered, such as bank details and codes, is relayed through the compromised machine to the real bank site. Once the users have validated themselves on the real system through the compromised relay, hackers kill the user connection through the relay, and take over the session.

Phishing emails are also becoming more personalised, according to Sunner, making such confidence tricks more believable. This includes phishers sending links to people for spoof sites of banks that the intended victims actually use, as opposed to randomly hitting a section of the population.

Sunner said: "We're continuing to see a real increase in the targeted nature of messages across the board. Phishing is becoming more personalised."

More phishing sites are now using Flash content rather than HTML in an attempt to evade anti-phishing technology deployed in web browsers.

Security vendor Sophos confirmed it also saw more phishing than malware activity in January. Graham Cluley, senior technology consultant at Sophos, said: "More email at the moment does appear to be phishy rather than containing malicious attachments. The trend has been for the proportion of infected email to drop for a while now."

However, Cluley warned this indicated a shift in infection methods towards web-based attacks, rather than a shift from malware to phishing. "More and more of the bad guys are moving towards web-based attacks," he said. "That means that the email itself may not contain a malware attachment but instead a web link to a site or download that would then infect you with a Trojan horse.

"We shouldn't necessarily conclude that the malware problem is diminishing, it just may be changing its nature."

Sophos is seeing approximately 5,000 new malicious URLs every day hosting malware or drive-by downloads of unwanted content, Cluley added.

Tom Espiner writes for ZDNet UK