New Phishing Scam Prompts Warnings

Phishing attacks have reached new heights of sophistication with a Javascript-driven scam that detects the user's browser, convincingly spoofs the address bar, and displays fake HTML source code. The new attack prompted a warning last night from the Anti-Phishing Working Group, which said the new technique has "serious security implications for consumers."

"This is one of the most sophisticated phishing attacks that we have yet detected," said Dave Jevans, chairman of the Anti-Phishing Working Group (APWG). "Because the fake Address bar remains installed even after you leave the phisher's site, there is a possibility that a phisher could use this technique to secretly track every web site that you visit."

The new technique targets Citibank, commencing with e-mails bearing the subject "Verify your E-mail with Citibank." The IP address for the spoofed page (http://69.56.202.82) is part of a block of addresses assigned to The Planet, a large hosting provider in Dallas, and was still active as of yesterday.

After detecting the user's browser, the spoof site removes the real address bar and replaces it with a convincing fake address bar using Javascript and frames at the top of the browser window. "You can even type in the bank's web address directly into the fake Address bar," the APWG said in its alert. "This is a live piece of JavaScript code, not a static fake Address bar image." The spoofed page also displays fake code when a user right-clicks on the page. Using the top menu will display the actual source.

Phishing attacks are increasing in frequency as well as sophistication. February was the busiest month yet with 282 e-mail attacks, a 60 percent rise from January's record total, according to the latest data from the APWG. As was the case in January, the number of scams grew each week throughout the month, waveraging more than 12 attacks per day by the third week of February. eBay was again the primary focus of phishing crews, being targeted by 104 campaigns, followed by Citibank (58) and PayPal (42).

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.