This is what makes a recent phishing attack particularly interesting. Unlike those listed in the Anti-Phishing Working Group’s archive, it does not masquerade as coming from a trusted organisation, nor does it explicitly urge recipients to click on a link. Instead, it has the appearance of being either sent in error, or at worst some fairly mild kind of spam message. It does, however, contain a URL that recipients might be tempted to follow out of curiosity – especially given the relative innocuousness of the message, and the lack of any traditionally phishy features.
But as the Code Fish Spam Watch site reveals in loving detail, doing so unleashes an extraordinary series of intrusive events. They culminate in highly-targeted screenshots of password characters being grabbed and sent to an email address in Russia if the user happens to log into Barclays online bank – ironically, one of the few to employ a two-step user login process designed to protect its customers from ordinary keylogger trojans.
Two things are striking about this. First, the technical virtuosity of this scam is an indication of how fast this field is evolving. And secondly, the form of this intricate, low-level attack presupposes a machine running Windows and its default applications. In other words, it depends on the Microsoft monoculture still found within most companies and homes.
As these examples show, phishing is rapidly becoming malware’s new frontier – a devastating mix of coding deftness and cold-blooded deceit. Eradicating it will be even harder than stopping spam, the perpetrators of which are little more than script kiddies in comparison to these new phisher kings.
Glyn Moody welcomes your comments.