Phishing overtakes viruses and Trojans

Phishing attacks have outstripped the number of emails infected with viruses and Trojans for the first time, according to security experts.

Security mail services vendor MessageLabs reported on Monday that in January 2007, one in 93.3 (1.07 percent) emails comprised some form of phishing attack. There were fewer emails infected with viruses — one in 119.9 emails, or 0.83 percent.

The difference in the ratio of phishing to virus attacks is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. This includes the recent Storm Worm and Warezov attacks, according to MessageLabs.

"If you look at infected email traffic for January, it's very spiky," said Mark Sunner, chief technology officer at MessageLabs. "With Storm Worm there are clear spikes, then drops down to normal levels. It's as though someone is turning on the tap briefly, then letting it abate," Sunner told ZDNet UK.

Phishing attacks have become more sophisticated, according to MessageLabs. As online merchants and banks have shifted towards two-factor authentication, there has been a rise in "man-in-the-middle" phishing sites, although such attacks are still quite rare.

Two-factor authentication often involves the user keying in pseudo-randomly generated codes — for example, from a key fob — as well as entering a password. This is designed to foil attacks where information is harvested using keyloggers, as the code can be used only once.

One particular form of man-in-the-middle attack tries to circumvent this by effectively hijacking a user session. Users are duped into visiting a spoofed portal, hosted on a compromised machine. Information entered, such a bank details and codes, is relayed through the compromised machine to the real bank site. Once the users have validated themselves on the real system through the compromised relay, hackers kill the user connection through the relay, and take over the session.

Phishing emails are also becoming more personalised, according to Sunner, making such confidence tricks more believable. This includes phishers sending links to people for spoof sites of banks that the intended victims actually use, as opposed to randomly hitting a section of the population.

"We're continuing to see a real increase in the targeted nature of messages across the board. Phishing is becoming more personalised," said Sunner.

More phishing sites are now using Flash content rather than HTML in an attempt to evade anti-phishing technology deployed in web browsers.

Security vendor Sophos confirmed it also saw more phishing than malware activity in January. "More email at the moment does appear to be phishy rather than containing malicious attachments," said Graham Cluley, senior technology consultant at Sophos. "The trend has been for the proportion of infected email to drop for a while now."

However, Cluley warned that this indicated a shift in infection methods towards web-based attacks, rather than a shift from malware to phishing. "More and more of the bad guys are moving towards web-based attacks," he said. "That means that the email itself may not contain a malware attachment, but instead a web link to a site or download that would then infect you with a Trojan horse. We shouldn't necessarily conclude that the malware problem is diminishing, it just may be changing its nature," Cluley added.

Sophos is seeing approximately 5,000 new malicious URLs every day hosting malware or drive-by downloads of unwanted content, Cluley said.