A New Breed of Phish

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

UPDATED: Two exploits launched last week victimized Citibank Australia and SunTrust Banks, headquartered in Atlanta, Ga. While SurfControl warned of the exploit, the banks’ may have been compromised for days.

Pishers typically send spam purporting to be from a legitimate business, asking recipients to go online to manage accounts or take care of problems. For example, one piece of spam allegedly from Citibank asked recipients to verify their e-mail addresses.

When unwary Citibank customers clicked on the link in the e-mail, however, they were taken to a look-alike site operated by the scamsters. At this phony site, they were asked to fill out a form with personal information including credit card numbers, social security numbers, account passwords and PIN numbers. The goal of the grift is identity theft.

Now, phishing has taken a nasty new twist, according to Susan Larson, SurfControl’s vice president of global content. “It’s a hacking of the search technology on the sites,” she said.

In this virulent new breed, the link in the e-mail takes those who click to a fraudulent page that’s actually hosted on the bank’s Web site. The spoof exploits a flaw in the banking sites’ search servers. This flaw lets the crooks run a JavaScript page that displays their own phishing site instead of a legitimate Citibank or SunTrust Web page. Once the user enters the requested information and submits it, the data is whisked to an off-site server operated by the identity thieves.

One weakness of phishing schemes is that the sites are easy to identify and take down, Larson said. But because this latest enhancement buries the fraudulent page within the legitimate company’s own servers, the URL is native to the merchant, and therefore very difficult to spot.

Larson said that SurfControl identified the exploits against Citibank and SunTrust last week and had notified the companies. “As far as I know, the vulnerability is still open,” she said. “I don’t know how easily they can change it.”

A spokesperson for SunTrust said the company was aware of the phishing exploit and it had already been addressed. Executives at Citibank Australia did not respond to a request for comment.

Scotts Valley, Calif.-based SurfControl, a provider of messaging security services, operates a global network of 19 centers where researchers analyze e-mail traffic in order to identify scams, spam, viruses and other types of malicious content.

Larson said that her company’s Global Threat Command Centers have seen a 1,200 percent rise in phishing since January 2004; phishing trips now account for 8 percent of the spam in SurfControl’s database of digital spam fingerprints. According to research firm Gartner, identity theft cost banks $1.2 billion in direct losses in 2003.

“Obviously, phishing is very lucrative,” Larson said. “These schemes are getting bolder and more sophisticated.”

SurfControl advises consumers never to click on a link in an unsolicited e-mail. The problem, though, is that phishing scams target large companies with lots of customers who may not see the e-mail as unsolicited. With this latest sneaky refinement, Larson said, it’s better not to click on links in e-mails at all.

“When you click through from a link, you don’t know where you’re going,” she said. Instead, users should go to the bank’s home page and navigate from there.