Web 2.0 makes phishing spam obsolete

Web 2.0 makes phishing spam obsolete

Summary: In future, phishers will avoid using spam and instead hijack small parts of 'trusted' Web sites in order to bypass anti-phishing tools.

TOPICS: Samsung, Mobility

In three years phishing has transformed from an unknown threat into a multi-million dollar industry; in the next stage of their evolution, phishers will be able to avoid sending spam and bypass anti-phishing tools by hijacking small parts of 'trusted' Web sites.

Why would a criminal gang go to all the trouble of creating copy-cat Web sites and then drive users to them by sending out millions of spam e-mails, when all they really have to do is hack into a 'trusted' Web site and modify its code?

OK, so hacking into a 'trusted' Web site may not be all that easy. However, as people become more savvy about phishing scams and less people open unsolicited e-mails, fraudsters need to find alternative ways of stealing users' banking passwords.

Last week, Websense discovered that Samsung Telecom's Web site was hosting a rather nasty Trojan horse. We understand that the Trojan wasn't a danger to people casually browsing the site but this has not yet been proven -- and suspiciously, the main page of the site remains unavailable almost a week after the attack was first reported.

If hackers had access to Samsung's Web servers -- in order to upload the Trojan -- then it seems reasonable to assume they also had access to the Web site code, which means they could have modified the site to inject malware onto visitors' computers. This could be done through exploiting browser vulnerabilities or by using relatively new Web 2.0 tools such as Ajax.

The cybercriminal underworld is well funded and employs skilled software engineers to develop and test malicious code.

In a recent interview with Trend Micro's CTO David Rand, he said: "In one case there was at least US$250,000 funding for one piece of malware. That is a lot. It means they can do QA, proper engineering development, testing and a complete product cycle... We think they are cutting edge technologies".

"Our job, as always, is to anticipate what they are going to do next and create effective countermeasures. If we try to simply play catch up we will never win," he added.

On his blog, the director of Symantec Security Response Dave Cole said that Web 2.0 technologies are attractive to fraudsters because "they leave no trace once the browser is closed and don't rely on a researcher uncovering a Godzilla-style hole in a popular Web browser... it's clear that we've only begun to see what's possible via malicious Web sites".

Tom Chan, enterprise and client services manager for Messagelabs Asia Pacific, told me that because of more educated users and improved anti-spam engines, the success rate for traditional phishing scams is likely to fall soon. By hijacking trusted Web sites, phishers could lure many more victims.

"They are trying to compromise poorly protected Web sites -- they basically go in and enter their own code into that Web server," said Chan, who explained that victims of this new phishing era would not have to do anything 'wrong' in order to get hooked.

"You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people," he said.

Symantec's Cole makes an important point about these new attack vectors. He said that although it will be easier for phishers to infect lots of people in a short amount of time, Web site owners will have the power to kill an attack.

"One thing I think is noteworthy of calling out is the fact that these type of attacks can impact many people quickly, but they can also be halted in short order because they have a central chokepoint: the organisation hosting the Web site or Web service in question.

"This type of attack will not have the staying power of old threats, such as Slammer, Nimda, or other worms that rely on unpatched machines and a decentralised Internet -- they may burn brightly, but should extinguish quickly as well," he said.

However, this is not going to be of any consolation to people that find their bank accounts cleared out despite following the advice of security experts by deploying patches, using the latest security software and only visiting 'safe' Web sites.

Topics: Samsung, Mobility

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not Phishing

    This can *not* be considered phishing. It is called, and has been for a number of years, hacking. Once the fact they're logged into a trusted site is no longer an illusion caused by tricks such as rewriting address bars etc then it is no longer a phishing attack.
  • This is a compromised site, not "phishing"

    The point is made on Slashdot that this is not "phishing."

    Phishing entails making a site that looks like the real one. This *is* the real site.

  • welcome to internet.

    If it were 1998, I'd point out some sites that are already using malicious javascript (oh wait, I mean Web 2.0), but due to constant jerk-off articles like this I've stoped reading internet.
  • it is the NEXT GENERATION of Phishing

    this slashdot post may help you: http://it.slashdot.org/comments.pl?sid=196355&cid=16088238
  • The lights are not all on upstairs

    Honestly mate, you need to get your facts straight. You blabber on in this article about completely irrelevant topics, meandering from suggesting that attackers could compromise major websites to talking about phishing but somehow putting it under the same heading. This has nothing to do with "Web 2.0".

    Are you possibly talking about cross-site scripting (XSS) attacks? This is the only practical, cheap way of injecting malicious content into the page of a 'trusted' site. It involves getting a user to open a maliciously crafted URL, which could be distributed as part of a phishing-style email and would be a little more plausible. It's the only thing that could possibly connect the disparate dots making up your article.

    It sounds from this like you read somebody else's article on the use of such techniques to make phishing scams more plausible, did a little fumbling around the net to find some extra detail that looked relevant to you then spat out the whole thing in a mangled lump. This is one of the shoddiest pieces of journalism I've seen.
  • This is an increase in exploit severity - not underlying vulnerability

    I posed some more thorough feedback here: http://denimgroup.typepad.com/denim_group/2006/09/next_gen_phishi.html

    The basic gist of my post is that it is indeed a concern that attackers using Web 2.0 knowledge can create more sophisticate attacks, but the countermeasures are the same as they have always been: input validation and output encoding.