Phishers swap e-mail for Google to hook victims

Traditionally, phishers have lured their victims to fraudulent Web sites by sending official-looking e-mails from well known companies asking users to 'verify' their user names and passwords. But Internet security firm CyberGuard is warning that many have now set up legitimate looking e-commerce sites that disguise links to malware as pictures of goods on sale.

Paul Henry, a senior vice president at CyberGuard explained that when Web shoppers search the Internet looking for products they want to buy, they can be directed to a plausible e-commerce site that instructs them to "Click here to download images" of the product.

Henry said that instead of linking to pictures of the advertised product, the links point to a self-extracting Zip file that installs a Trojan on the victim's computer that can steal personal and financial information.

"If it looks too good to be true, it probably is. Don't let the Grinch steal your Christmas," said Henry.

The warning comes a week after the Anti Phishing Work Group (APWG) said it suspected that a phishing toolkit, which could help create and automate phishing attacks was being distributed on the Internet.

In early November, e-mail security firm Messagelabs warned of a new phishing method that did not require the user to open an e-mail attachment or click on a link.

Messagelabs said it had discovered some malicious e-mails that, when viewed, could run a script that manipulated certain files on the victim's computer. The next time that computer attempted to log onto a legitimate banking site it would automatically be redirected to a fraudulent Web site.