A new email 鈥phishing鈥 scam uses a tiny program to modify computers so that they covertly redirect a victim鈥檚 web browser to a bogus banking site.
Opening one of the new phishing messages will trigger a script embedded in the email. This script tries to alter a file that can be used to surreptitiously redirect a web browser on the recipient鈥檚 computer even when a legitimate web address is entered. Previous phishing scams have utilised URLs which resemble genuine ones to trick users.
However, like previous phishing emails, the text of the latest variant aims to trick the recipient into handing over the password for their online bank account by claiming this must be reconfirmed at their bank鈥檚 web site. If the target goes to their bank鈥檚 website, they will actually be viewing the bogus site instead.
Advertisement
By stealing account and password data, the fraudsters can then plunder their victims鈥 bank accounts.
Technical limits
The con is not currently considered a huge threat. So far, only about 30 emails incorporating the trick have been reported 鈥 all originating in South America and targeting one of three Brazilian banks. But experts are concerned that the con could soon spread.
鈥淚f it works there, we could well see it elsewhere,鈥 says Alex Shipp, consultant with UK antivirus company MessageLabs. 鈥淥n an unsecured machine you won鈥檛 even know you haven鈥檛 gone to your real bank鈥檚 web site.鈥
But the trick is also limited by several technical factors. For instance, it will only work on a Windows computer with certain functionality enabled. Specifically, they must have Windows Scripting Host enabled and ActiveX switched on.
PCs running the latest version of Microsoft Outlook or with the latest software patches from Microsoft installed will have this functionality deactivated by default.
The file modified by the phishing script is used to map domain names, such as www.newscientist.com, to underlying internet protocol (IP) address, such as 194.203.155.123. Modifying this 鈥渉osts鈥 file can make a browser go to a bogus IP address even when a genuine domain name is entered into the address bar.