Phishing overtakes viruses and Trojans

Security experts say phishing attacks are becoming more sophisticated, outnumber e-mails infected with malicous software.

Tom Espiner Special to CNET News
3 min read
Phishing attacks have outnumbered e-mails infected with viruses and Trojan horse programs for the first time, according to security experts.

Security mail services vendor MessageLabs reported on Monday that in January 2007, one in 93.3 e-mails (1.07 percent) comprised some form of phishing attack. There were fewer e-mails--one in 119.9, or 0.83 percent--infected with viruses.

The difference in the ratio of phishing to virus attacks is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. This includes the recent Storm worm and Warezov attacks, according to MessageLabs.

"If you look at infected e-mail traffic for January, it's very spiky," Mark Sunner, chief technology officer at MessageLabs, told ZDNet UK.

"With Storm worm, there are clear spikes, then drops down to normal levels," Sunner said. "It's as though someone is turning on the tap briefly, then letting it abate."

Phishing attacks have become more sophisticated, according to MessageLabs. As online merchants and banks have shifted toward two-factor authentication, there has been a rise in sophisticated "man in the middle" phishing tools and Web sites, though such attacks are still quite rare.

Two-factor authentication often involves the user keying in pseudorandomly generated codes--for example, from a key fob--as well as entering a password. This is designed to foil attacks where information is harvested using keyloggers; the code can be used only once.

One particular form of man-in-the-middle attack tries to circumvent this by effectively hijacking a user session. Users are duped into visiting a spoofed portal, hosted on a compromised machine. Information entered, such a bank details and codes, is relayed through the compromised machine to the real bank site. Once the users have validated themselves on the real system through the compromised relay, hackers kill the user connection through the relay and take over the session.

Phishing e-mails are also becoming more personalized, according to Sunner, making such confidence tricks more believable. This includes phishers sending links to people for spoof sites of banks that the intended victims actually use, as opposed to randomly hitting a section of the population.

"We're continuing to see a real increase in the targeted nature of messages across the board. Phishing is becoming more personalized," Sunner said.

More phishing sites are now using Flash content rather than HTML in an attempt to evade antiphishing technology deployed in Web browsers.

Security vendor Sophos confirmed that it also saw more phishing than malicious-software activity in January. "More e-mail at the moment does appear to be phishy rather than containing malicious attachments," said Graham Cluley, senior technology consultant at Sophos. "The trend has been for the proportion of infected e-mail to drop for a while now."

However, Cluley warned that this indicated a shift in infection methods toward Web-based attacks rather than a shift from malicious software to phishing.

"More and more of the bad guys are moving towards Web-based attacks," he said. "That means that the e-mail itself may not contain a malware attachment but instead a Web link to a site or download that would then infect you with a Trojan horse.

"We shouldn't necessarily conclude that the malware problem is diminishing; it just may be changing its nature," Cluley added.

Sophos is seeing approximately 5,000 new malicious URLs every day hosting malicious software or drive-by downloads of unwanted content, Cluley said.

Tom Espiner of ZDNet UK reported from London.