MyDoom Spread Illustrates Challenge for Phishing Defense

You can fool some of the people all of the time, as Abraham Lincoln once noted. The authors of the many versions of MyDoom rely upon this truism, continuing to trick e-mail users into opening virus-laden attachments. The latest version, MyDoom.M, caused performance problems Monday for Google and other search engines, which were used to refine its spread.

MyDoom.M's ability to disrupt the Web's best-equipped sites illustrates the difficulty of training e-mail users to safely manage attachments. It also has sobering implications for banks seeking to educate users about phishing scams, which in recent weeks have featured social engineering tactics nearly identical to those that succeeded with MyDoom.M.

The new wrinkle in MyDoom.M was its use of Google, Lycos, Yahoo and AltaVista. Upon infection, the virus launched search engine queries designed to identify valid e-mail addresses sharing the domain of the compromised machine. Google received about 45 percent of the queries, and experienced availability problems for several hours.

The search engines adjusted fairly quickly. Not so for many e-mail users. It's been six months since the original MyDoom virus received huge publicity as it clogged e-mail systems and launched a distributed denial of service (DDoS) attack on The SCO Group.

MyDoom's once novel social engineering trick - disguising its executable payload as a bounce message from an e-mail administrator - should be familiar by now. MyDoom.M masqueraded as an e-mail warning from a corporate IT department that the recipient's machine had been compromised, a gambit used in recent phishing scams targeting eBay, Citibank and U.S. Bank, among others. Did these scams receive a click-through rate similar to the MyDoom.M attachments? Neither the target companies nor victimized customers are likely to say, but the evidence is not encouraging.

Internet users who were briefly deprived of Google access Monday will recover quickly. The thousands of e-mail users that opened the MyDoom.M attachment have larger problems, as the virus was programmed to install a backdoor component that listens on port 1034, which will now be the object of interest from hackers.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.