Phishing attacks get clever

Phishing attacks are reaching a point of sophistication where even the most internet-savvy user could be fooled, said the Anti-Phishing Working Group (APWG) on Wednesday.

Phishing is where unsuspecting users receive emails that attempt to fool them into disclosing online banking passwords, by sending them to a site that mimics the look and feel of their bank's own site.

However, according to the APGW, the organisations targeted by phishers have diversified and the phishers' HTML skills have greatly improved.

The APWG was formed in November 2003 to provide a forum for financial institutions and other organisations, such as eBay, to share information in order to deal with the increasing number of phishing incidents. Dave Jevans, chairman of the APWG and a senior executive of security specialist Tumbleweed Communications, said that in the US, customers of ISPs have become a common target and he expects customers of UK ISPs to come under attack in the near future.

"One of the major [US] ISPs received three phishing attacks last week and each one resulted in tens of thousands of phone calls to its customer support line - at considerable cost. It has surprised us that it hasn't yet happened over here," Jevans said.

According to Jevans, the phishers are primarily after credit card information, so a typical scam email would tell the user that their credit card had expired or that the company was having a billing problem and needed the user to update their details. Although this idea is nothing new, the sophistication of the attacks has evolved dramatically.

"We have seen them change from having poor wording and weird mixes of Russian and English to a point where they take a real notification from an ISP and then modify the links," said Jevans.

A security vulnerability in Internet Explorer that was discovered in December gave the phishers a helping hand. This week, Microsoft released a patch to close the gap in its browser's security. But even before the patch was released, phishers had adapted their techniques.

According to the APWG, a new phishing method that people should be wary of is where the user receives an email from their ISP and when they click on the link, they are taken to the ISP's legitimate website in the main browser window; however, a new window pops up requesting their credit card information be entered. As pop-ups rarely display URL information, the user is less likely to be suspicious.

Stuart Okin, chief security officer at Microsoft UK, said that the vast majority of users, if they receive an email from their bank or another familiar organisation, should not click on the link but instead use their "favourites" folder to access the website: "If you have been using a banking site, you are likely to have that saved. So go to your favourites because you know you are safe there. That is going to be your trusted source," he said.

But Jevans also said that even this could be risky, because of a recent attack where phishers managed to reprogram a browser's favourites: "It doesn't work with all browsers, but they check the browser version. So they can reprogram your favourites too," he said.

Jevans said that for less sophisticated users, the safest method of accessing their bank's or ISP's website is to type in the URL: "For a consumer right now, type in the web address by hand. That is the best way," he said.

Munir Kotadia writes for ZDNet UK