Phishers adopt scam tricks from virus writers

You know all about phishing scams, right? You know better than to click on a Web link embedded in an e-mail that purports to be from your bank, or to reply to messages requesting your user name and password. But if you think that's enough to protect yourself, think again.

A phishing scam currently spreading online works without your ever having to click on a link; all that's required to activate the scam is for you to open an e-mail. And, many security experts warn, this threat may be a sign of things to come.

"This style of attack is new and old at the same time. It's a common approach that virus writers take, but it's new with regard to phishing attacks," says Jim McGrath, senior director of security management products for NetIQ Corp. "Phishers are trying to use the techniques that have been very successful for virus writers. It's a new and dangerous trend."

The current phishing scam, which has been labeled JS/QHosts21-A by antivirus vendor Sophos PLC, is an example of this kind of blended threat. In this case, the scam involves a Trojan horse that combines with an ActiveX vulnerability in Windows to install itself on your machine invisibly, without warning.

Phish threat arrives by e-mail

According to Sophos, JS/QHosts21-A arrives in an HTML e-mail that displays the Google Web page. If you have enabled scripting on your PC (Internet Explorer and Microsoft's Outlook and Outlook Express e-mail clients enable scripting by default) and you have ActiveX security settings configured too low (or if you are running an out-of-date and/or unpatched version of Windows), the Trojan horse installs itself on your PC.

The Trojan horse then makes changes to the Hosts file, a component of Windows that your browser first looks to when it converts a domain name that you enter (such as "www.pcworld.com") into the IP address it needs to load a Web page.

By entering an IP address of the fraudster's choosing into your PC's Hosts file, and associating it with the names of bank Web sites, the phisher can force your browser -- any browser, not just Internet Explorer -- to go to a fake Web site that may look like your bank's, but isn't.

Then all they have to do is get you to log in, and the phisher has your username and password.

"These next-generation phishing scams don't use traditional methods, they don't try to lure you with an e-mail," says Graham Cluley, a senior technology consultant with Sophos antivirus. "Instead, they infect you with a Trojan, wait for you to visit a banking site, and then a keylogger grabs your password."

Under normal circumstances, most people do not have any IP addresses listed in their Hosts file, but the file exists just in case you might need to use it. And because most PC users are unfamiliar with the workings of the Hosts file, unless you're running special software that monitors the Hosts file for changes, you may never know it has been changed until it's too late.

Scam still very limited

JS/QHosts21-A has been seen in very low numbers in the wild, and currently is targeting banks only in Brazil, says Sophos's Cluley. He also notes that any up-to-date antivirus software should be able to catch the file. So why is it worth your attention? Because many security experts expect it -- and other, more advanced threats -- to wash up on U.S. shores soon.