Security experts are warning of a new phishing technique designed to capture online banking details without requiring users to click on a website link.
According to security firm MessageLabs, all potential victims have to do is simply open an email, which then silently runs a script that attempts to rewrite the host files of targeted machines.
The next time the user attempts legitimately to access their online bank they will be automatically redirected to a fraudulent website, enabling their log-in details to be stolen.
The risk is currently low, according to MessageLabs, which has only intercepted copies of emails targeting three Brazilian banks.
However, Mark Murtah, head of emerging threats at security company Websense, expects the threat to increase as phishers use more sophisticated techniques.
"There is a growing awareness among computer users about the dangers of phishing, so they are more suspicious," he said.
"The phishers know this, so we are beginning to see increasingly sophisticated scams that are very hard to detect.
"Something as innocent as using the auto-preview function in an email client is enough to download malicious code or silent key-loggers. And antivirus software will not necessarily pick up the fact someone has been infected."
Computer users can defend themselves against this if they ensure that Windows Scripting Host is disabled.
See also:
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004All Hacking and Cyber-crime





