Security experts say that a recent phishing attack -- typically e-mailed as enticements to bogus sites that endanger users' systems and expose their personal information -- is limited in scope, but they are concerned that it may be a sign that attackers are toying with a new way of phishing, one that does not require a lure.
E-mail security outfit Message Labs 
highlighted the attack this week, indicating that a phishing technique designed to capture online banking details
did not require users to click on a link, possibly exposing data simply by opening an e-mail.
"They're basically trying out a new technique to see how it works," Message Labs senior antivirus technologist Alex Shipp told TechNewsWorld. "I would
expect if [the technique] is successful, [it] could spread
to the rest of the world."
Silent Script
Message Labs indicated that at the end of October, it had intercepted e-mails which, when opened, silently ran a malicious script that attempts to rewrite the files hosted on a victim's machine.
"This means that the next time the user attempts to legitimately access online banking, they will be automatically redirected to a fraudulent Web site, enabling their log-in details to be stolen," Message Labs said in a statement.
The security company said it had intercepted only copies of e-mails targeting three Brazilian banks, but added more such attacks can be expected if the technique is at all successful.
Growing and Evolving Threat
The phishing attack appeared by most accounts to be a case of a "proof-of-concept" release, showing the world what attackers are capable of and laying the groundwork for other attackers to improve the approach, making it even more dangerous.
The automatic phishing ploy also comes as the issue of malicious sites that snare unwitting users into divulging data or control becomes an increasingly significant threat.
Shipp reported that Message Labs is seeing about 80 to 100 phishing sites per day, calling the attacks a danger to both consumers and enterprises. "It is a moving target, making it harder to identify and defend against," Shipp said. "As ever, a combination of user education and the necessary levels of technology-based protection are essential."
Still Site Dependent
While the victims of the latest phishing technique may not have to click on a link to be victimized by the effort to steal information, the attack is similar to traditional phishing scams because it is dependent on a Web site to capture the data.
Shipp and other security experts point to this as a major mitigating factor in phishing, because as soon as people are alerted to a successful phishing attack, the site that is causing it is quickly shut down.
Shipp said that
most banks have advised their customers to be wary of
e-mail 
asking for personal details.
Tougher to Handle
Nevertheless, Shipp indicated the lack of a need for users to click onto a bogus site makes defending against phishing a bigger task.
"This latest technique demonstrates how phishing attacks could become increasingly difficult for end users and online organizations alike to protect against," he said. "By reducing the need for user intervention, the perpetrators are making it easier to dupe users into handing over the contents of their bank accounts."
"In this case all [users] have to do is open an
apparently innocent e-mail and their bank details could
be silently sabotaged," Shipp said.
Talkback: 
