One new type of phishing attack is particularly hard to identify. The technique can result in stolen personal data even if the recipient of the fraudulent e-mail is not fooled by it. When a bank customer simply opens the e-mail, a program attached to the e-mail by the phisher silently runs a script - even if the customer deletes the message without clicking on any embedded links. When that customer attempts to visit his or her bank's legitimate Web site - during that session or a future session - the malicious code redirects the person being phished to a fraudulent Web site.
Even a savvy Web-banking customer is vulnerable to this type of attack. Banks are educating customers on how to identify a fraudulent e-mail, but financial institutions can't do much to protect clients from simply opening fraudulent e-mail, according to Alex Shipp, senior antivirus technologist, MessageLabs (New York), a provider of e-mail security services. "It is difficult because banks don't own their clients' computers," Shipp says. "They can't do much to protect customers, but what they can do is, as soon as they learn about these sites, they can take them down," he continues. "It's more of a reactive thing; there is not much they can do proactively."
Recently, three Brazilian banks, including Unibanco (Sao Paulo), were the target of this scheme, according to Shipp. And MessageLabs expects to see more phishing attacks of this type, he says. Shipp points out that this particular scam only works on machines running Microsoft Windows, but Mac and Linux users can be affected if they use Windows updates. He suggests using only Windows systems that have had all available security patches installed.
Another phishing technique that has flourished is actually a combination of hacking and spamming. As with a traditional phishing attack, the assailant sends a fraudulent e-mail to consumers. However, this technique directs recipients to a legitimate bank Web site. With a false sense of security, users are more likely to enter personal information, which is then hacked by the fraudster, according to Susan Larson, vice president of global content, SurfControl (Scotts Valley, Calif.), a Web and e-mail filtering solutions provider.
In this type of scam, the phishers take advantage of security holes in financial institutions' Web sites, Larson explains. "Anyone doing any e-commerce is at risk," she adds. "The customers think they are on the [legitimate] site, [but the data] is really going to a fraudulent site."
SunTrust (Atlanta; $199 billion in total assets) customers were the target of this type of phishing. As soon as SunTrust became aware of the threat, the bank corrected the security flaw in its Web site, according to Hugh Suhr, a SunTrust spokesperson. The bank has a fraud alert section on its Web site and warns customers that it does not solicit personal information through e-mail. "We never ask for confidential information via e-mail," Suhr says. SunTrust also is taking proactive steps to combat phishing, but Suhr says he cannot divulge which technologies are being leveraged - for security reasons, of course.