This week in phishing

Phishers are setting up fraudulent e-commerce Web sites and waiting for victims using Google and other search engines to find them.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

Dec. 3, 2004 1:37 p.m. PT

2 min read

As online shopping gets into full swing, phishers are setting up fraudulent e-commerce Web sites and simply waiting for victims using Google and other search engines to find them.

Traditionally, phishing scammers have lured their victims to fraudulent Web sites by sending official-looking e-mails that are ostensibly from well-known companies asking people to "verify" their usernames and passwords. Now many are setting up legitimate-looking e-commerce sites that disguise links to malicious software as pictures of goods on sale.

Instead of linking to pictures of the advertised product, the links point to a self-extracting Zip file that installs a Trojan horse on the victim's computer. The program could then steal personal and financial information.

In response to the emerging threat, a browser promises to detect phishing sites and nail an increasingly prevalent type of floating Web ad. Deepnet Explorer, a browser shell that uses Microsoft's Internet Explorer to render Web pages, analyzes Web addresses and combs through its own list of suspect sites to determine whether a site might be part of a phishing scam, in which fraudsters attempt to get personal and payment information from unsuspecting visitors.

Version 1.3 of the browser, previously available in a test, or beta, version, also takes aim at a new kind of Web advertisement that has been evading pop-up-blocking software. The ads, called "floating" or "overlay" ads, move around on the screen and are immune to the pop-up controls increasingly common in browsers and browser toolbars.

But monetary losses from phishing fraud may not be as high as some analysts had estimated. Financial consultant TowerGroup said phishing attacks this year will account for less than $150 million in consumer losses worldwide. The finding puts TowerGroup at odds with other researchers, who have put damages as high as $500 million.

Businesses, and not consumers, stand to lose the most from phishing. Phishing attacks lead online users to be more wary of e-commerce sites and e-mail communications, TowerGroup said. That could crimp business during the most lucrative quarter for online retailers, and companies whose brands are co-opted by scammers may have to deal with increased support calls and lost confidence in their brand.