A New Breed of Phish

SurfControl identified a new phishing scam that includes actual hacking into the servers of legitimate companies.

Two exploits launched last week victimized Citibank Australia and SunTrust Banks, headquartered in Atlanta, Ga. While SurfControl warned of the exploit, the banks may still be wide open.

Phishers typically send spam purporting to be from a legitimate business, asking recipients to go online to manage accounts or take care of problems. For example, one piece of spam allegedly from Citibank asked recipients to verify their e-mail addresses.

When unwary Citibank customers clicked on the link in the e-mail, however, they were taken to a look-alike site operated by the scamsters. At this phony site, they were asked to fill out a form with personal information including credit card numbers, social security numbers, account passwords and PIN numbers. The goal of the grift is identity theft.

Now, phishing has taken a nasty new twist, according to Susan Larson, SurfControl’s vice president of global content. “It’s a hacking of the search technology on the sites,” she said.

In this virulent new breed, the link in the e-mail takes those who click to a fraudulent page that’s actually hosted on the bank’s Web site. The spoof exploits a flaw in the banking sites’ search servers. This flaw lets the crooks run a JavaScript page that displays their own phishing site instead of a legitimate Citibank or SunTrust Web page. Once the user enters the requested information and submits it, the data is whisked to an off-site server operated by the identity thieves.

One weakness of phishing schemes is that the sites are easy to identify and take down, Larson said. But because this latest enhancement buries the fraudulent page within the legitimate company’s own servers, the URL is native to the merchant, and therefore very difficult to spot.

Larson said that SurfControl identified the exploits against Citibank and SunTrust last week and had notified the companies. “As far as I know, the vulnerability is still open,” she said. “I don’t know how easily they can change it.”

Executives at the two banks were not immediately available for comment.

Scotts Valley, Calif.-based SurfControl, a provider of messaging security services, operates a global network of 19 centers where researchers analyze e-mail traffic in order to identify scams, spam, viruses and other types of malicious content.

Larson said that her company’s Global Threat Command Centers have seen a 1,200 percent rise in phishing since January 2004; phishing trips now account for 8 percent of the spam in SurfControl’s database of digital spam fingerprints. According to research firm Gartner, identity theft cost banks $1.2 billion in direct losses in 2003.

“Obviously, phishing is very lucrative,” Larson said. “These schemes are getting bolder and more sophisticated.”

SurfControl advises consumers never to click on a link in an unsolicited e-mail. The problem, though, is that phishing scams target large companies with lots of customers who may not see the e-mail as unsolicited. With this latest sneaky refinement, Larson said, it’s better not to click on links in e-mails at all.

“When you click through from a link, you don’t know where you’re going,” she said. Instead, users should go to the bank’s home page and navigate from there.

Adapted from internetnews.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.