IE 11 is not supported. For an optimal experience visit our site on another browser.

A new, more sneaky phishing attack

Phishing scams, already one of the main nemeses on the Net, have apparently just become even more sneaky — and ingenious. By Bob Sullivan.

Phishing scams, already one of the main nemeses on the Net, have apparently just become even more sneaky — and ingenious. Now, it appears phishing authors are borrowing some time-tested tactics from computer virus writers to steal personal information from e-mail users.

E-mail filtering firm MessageLabs says it recently began intercepting messages that use the new technique, which in certain cases is completely invisible to victims. Essentially, the tactic redirects a victim's computer to a Web site controlled by a criminal every time the victim types in the Web address of his or her online bank. Even if the victim follows a shortcut or Web browser favorite link, the computer is seamlessly directed to the criminal's site instead. Once there, it's easy to trick a confused consumer into typing in banking account numbers and logins, because he or she is easily convinced that the destination is the correct banking site.

"It's very nasty," said Ken Schneider, chief architect at antivirus firm Symantec Corp. "(A user) could be doing everything right, but in this case they are still going to the wrong place."

Phishing is already a major problem for both consumers and financial companies, and the scope of the problem continues to grow. The number of phishing attacks swells by about 50 percent each month, according to the Anti-Phishing Working Group. Earlier this year, an analyst at Gartner said some 2 million people had fallen for phishing attacks, costing U.S. banks about $2 billion.

The new technique involves changing a little-known piece of software on most Web-ready computers called a "host file."  All Web sites have numeric Internet addresses, called IP addresses, that contain a string of four numbers, such as They also have friendly, easy-to-remember names like The names and numbers are linked by means of a catalog kept on various computers connected to the Internet called Domain Name Servers. But computers always check a local host file for such a catalog first — and that local host file overrides information contained in the Internet's Domain Name Servers. 

So by changing a victim computer's host file, the attacker can change the Web site that computer visits. Typing in, for example, could point a victim's computer toward a hacker's site instead. 

A useless feature
Years ago, before the Internet's domain name system was in place, the local host file was useful, says software engineer and privacy advocate Richard Smith, who operates But now, it's just a relic, he says, kind of like an appendix on Internet software.

"It's useless now," he said.  "But it's an attack vector.... This just points out that at some point you have to age out features and get rid of them."

Host file attacks have been relatively common in recent computer viruses, Smith said.  They have been used to siphon off traffic destined for high-profile sites like toward pornography sites, for example. But this is the first time he'd seen the tactic used in combination with phishing, he said.

The e-mails intercepted by MessageLabs also include another tactic to trick Internet users — there's no need to click on a link or attachment to become a victim. Simply opening the e-mail is enough to allow the malicious message to alter the host file on a target computer. That part of the e-mail takes advantage of a well-known, relatively old flaw in Microsoft's Internet Explorer, which can be patched a number of ways.

Unlike traditional phishing e-mails, which suggest they are from PayPal, eBay, Citibank or other legitimate companies, this new kind of e-mail is unrelated to the targeted financial institution.  One subject line reads, "Oi!! olha aqui!! vc nem precisa procurar mais!!!" which essentially urges the recipient to try whatever it is inside the e-mail.

MessageLabs has intercepted only some 30 copies of the e-mail, and in each case the target was a bank in Brazil. Symantec researchers have yet to spot copies of the e-mail so far.  So the host file attack is hardly widespread. Still, MessageLabs' Alex Shipp thinks it's an alarming step forward in the programming of phishing tactics.  Antivirus scans generally wouldn't pick up host file changes.

"It's more dangerous than standard phishing," he said.  "There is nothing in the e-mail to give it away. Nothing has to happen. The next time you bank there, you might be in for a shock."

And even if the fake bank site was eventually pulled down by the Internet host, which usually happens within a few days, victim consumers would still have a problem. Their computers would no longer be able to visit the legitimate bank site, but instead would get a "file not found" error, as their computers were redirected to the criminal's address.

"The person would be mystified that they can't get to their bank any more," Shipp said.