CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

This week in phishing

Phishers are setting up fraudulent e-commerce Web sites and waiting for victims using Google and other search engines to find them.

As online shopping gets into full swing, phishers are setting up fraudulent e-commerce Web sites and simply waiting for victims using Google and other search engines to find them.

Traditionally, phishing scammers have lured their victims to fraudulent Web sites by sending official-looking e-mails that are ostensibly from well-known companies asking people to "verify" their usernames and passwords. Now many are setting up legitimate-looking e-commerce sites that disguise links to malicious software as pictures of goods on sale.

Instead of linking to pictures of the advertised product, the links point to a self-extracting Zip file that installs a Trojan horse on the victim's computer. The program could then steal personal and financial information.

In response to the emerging threat, a browser promises to detect phishing sites and nail an increasingly prevalent type of floating Web ad. Deepnet Explorer, a browser shell that uses Microsoft's Internet Explorer to render Web pages, analyzes Web addresses and combs through its own list of suspect sites to determine whether a site might be part of a phishing scam, in which fraudsters attempt to get personal and payment information from unsuspecting visitors.

Version 1.3 of the browser, previously available in a test, or beta, version, also takes aim at a new kind of Web advertisement that has been evading pop-up-blocking software. The ads, called "floating" or "overlay" ads, move around on the screen and are immune to the pop-up controls increasingly common in browsers and browser toolbars.

But monetary losses from phishing fraud may not be as high as some analysts had estimated. Financial consultant TowerGroup said phishing attacks this year will account for less than $150 million in consumer losses worldwide. The finding puts TowerGroup at odds with other researchers, who have put damages as high as $500 million.

Businesses, and not consumers, stand to lose the most from phishing. Phishing attacks lead online users to be more wary of e-commerce sites and e-mail communications, TowerGroup said. That could crimp business during the most lucrative quarter for online retailers, and companies whose brands are co-opted by scammers may have to deal with increased support calls and lost confidence in their brand.