New phishing technique discovered

A new ‘undetectable’ phishing tactic has been hijacking the web pages of a major UK bank, according to security vendor Envisional.

Until now customers have been able to check a link in an email by moving the mouse over it, thus revealing a fraudulent URL addresses. But this new method shows the legitimate web address of the bank in question.

'This is a completely new and very dangerous threat,' said Envisional’s chief executive officer, Michael Wheatley. 'Even wary, sophisticated online banking customers will be caught out by this latest form of attack.'

The new approach exploits a vulnerability in the web site of the bank, allowing a link to look like it directs the user to the legitimate site. Actually the link sends the user to a framed mock-up of the bank's page that is really part of the phisher’s web site.

Gartner analyst John Pescatore says the attack is a variant of existing phishing techniques.

'There's big risks there for sure. I think it's a clever variation on things that have been done before, taking advantage of a vulnerability on a legitimate site to embed some malicious code,' he said. 'Any site that wants to make sure it’s a trusted commerce site has to make sure it doesn't leave these vulnerabilities there.'

But PayPal chief information security officer Michael Barrett says these emails will be much less of a threat if users are educated.

'You could argue that if you could educate all of your users then there would be no such crime as phishing,' said Barrett. 'Firstly if you get emails out of the blue wait a few days. Typically if it’s a phishing site it will have come and gone by then. Secondly just don't click on links in emails. Those two rules on their own will get you out of 98 per cent of the problems.'

What do you think? Email us at: feedback@computing.co.uk

Further Reading:

PayPal tackles UK phishing concerns

Fraudsters using new phishing tactics

International phishing gang arrested

Publicise the phishing facts