The rise of phishing has followed
a trajectory that is remarkably similar to that of spam. Just as spam
originally referred to flooding Usenet newsgroups, rather than email inboxes, so the practice
of phishing seems to have started on
AOL's online service, rather than on the Internet. Like spam, phishing in the early days was a
relatively rare annoyance, but has recently begun growing to
epidemic proportions: phishing attacks jumped 43 percent in March 2004, with over 400 unique
Spam makes only the flimsiest attempts to deceive, generally in the Subject line. Once opened, it is usually obvious that the message is a sales pitch. Spam's success is simply a question of mathematics: even if the vast majority of recipients block or delete the message, the huge volume of spam ensures that the absolute numbers of replies are sufficient to warrant the small expense of the spamming.
Phishing, by contrast, is all about subterfuge. Typically, the email purports to be from a well- known organisation: according to the Anti- Phishing Working Group, eBay is the current favourite, with Citibank and PayPal the next most popular choices. To succeed, the phishing email must be as plausible as possible, in order to trick the recipient to move on to the next part of the scam by clicking on an enclosed URL. As a result, phishing email messages have been largely a question of social engineering.
This is what makes a recent phishing attack particularly interesting. Unlike those listed in the Anti-Phishing Working Group's archive, it does not masquerade as coming from a trusted organisation, nor does it explicitly urge recipients to click on a link. Instead, it has the appearance of being either sent in error, or at worst some fairly mild kind of spam message. It does, however, contain a URL that recipients might be tempted to follow out of curiosity - especially given the relative innocuousness of the message, and the lack of any traditionally phishy features.
But as the Code Fish Spam Watch site reveals in loving detail, doing so unleashes an extraordinary series of intrusive events. They culminate in highly-targeted screenshots of password characters being grabbed and sent to an email address in Russia if the user happens to log into Barclays online bank - ironically, one of the few to employ a two-step user login process designed to protect its customers from ordinary keylogger trojans.
Two things are striking about this. First, the technical virtuosity of this scam is an indication of how fast this field is evolving. And secondly, the form of this intricate, low-level attack presupposes a machine running Windows and its default applications. In other words, it depends on the Microsoft monoculture still found within most companies and homes.
As these examples show, phishing is rapidly becoming malware's new frontier - a devastating mix of coding deftness and cold-blooded deceit. Eradicating it will be even harder than stopping spam, the perpetrators of which are little more than script kiddies in comparison to these new phisher kings.
Glyn Moody welcomes your comments.