Windows flaw allows phishing without a hook

In an evolution of the phishing phenomenon, cyber-criminals are using the recently patched Windows WMF vulnerability to hook victims without needing the user to visit a bogus Web site.Around two years ago phishing attacks generally consisted of a badly worded e-mail that contained a link to an obviously fake Web site.

In an evolution of the phishing phenomenon, cyber-criminals are using the recently patched Windows WMF vulnerability to hook victims without needing the user to visit a bogus Web site.

Around two years ago phishing attacks generally consisted of a badly worded e-mail that contained a link to an obviously fake Web site. These days the quality and quantity of phishing attacks has improved significantly but public awareness of the problem and security tools have helped minimise losses.

However, the WMF vulnerability that affects all versions of Windows and was only patched by Microsoft last week, could provide phishers with an unwelcome tool, according to Dan Hubbard, senior director at security firm Websense.

"We see a lot of Web sites that use vulnerabilities, some are two years old. They can do that because a lot of people don't have the patches. [Phishers] will use any means possible to get onto your machine but if there is something like the WMF exploit... they are going to use it," Hubbard told ZDNet Australia.

According to Hubbard the WMF exploit is already being used by phishers because it provides them with a way of stealing banking details without having to first trick the victim into giving up their details.

"They still get a lot of people with the 'old tactics' but now by simply visiting a Web site -- it doesn't even have to be a bank web site -- they drop a keylogger onto your machine and use the vulnerability that may not be fixed," said Hubbard.

The flaw will come as something of a body blow to financial institutions who have spent the past two years educating their customers to avoid suspicious e-mails.

A spokesperson from the National Australia Bank, which was last week targeted by an 'old style' phishing attack, told ZDNet Australia that the bank's customers were not falling for the old tricks anymore.

"Our customers have a very high awareness about phishing now. We have an Internet security team that work around the clock when these things occur. We haven't had any reported losses during that time," the spokesperson said.

A Commonwealth Bank spokesperson agreed that online banking customers are more aware of the potential dangers of phishing e-mails.

"One of the pleasing things is that customers are a lot more alert to these types of attacks and know not to respond to them. They are aware that banks do not contact any of their customers by e-mail asking for information on their account," the spokesperson said.

Websense's Hubbard said, however, that although banks have done well to educate their customers, phishing has moved on.

"The problem is not decreasing, it is changing. [The banks] are correct that people are getting wise to clicking on e-mail links... But cybercriminals have realised that there is a lot of money to be made and are shifting the way they gather information from end users by using vulnerabilities to install keyloggers and screen scrapers," said Hubbard.