You know all about phishing scams, right? You know better than to click on a Web link embedded in an e-mail that purports to be from your bank, or to reply to messages requesting your user name and password. But if you think that's enough to protect yourself, think again.
A phishing scam currently spreading online works without your ever having to click on a link; all that's required to activate the scam is for you to open an e-mail. And, many security experts warn, this threat may be a sign of things to come.
"This style of attack is new and old at the same time. It's a common approach that virus writers take, but it's new with regard to phishing attacks," says Jim McGrath, senior director of security management products for NetIQ. "Phishers are trying to use the techniques that have been very successful for virus writers. It's a new and dangerous trend."
The current phishing scam, which has been labeled JS/QHosts21-A by antivirus vendor Sophos, is an example of this kind of blended threat. In this case, the scam involves a Trojan horse that combines with an ActiveX vulnerability in Windows to install itself on your machine invisibly, without warning.
Phish threat arrives by e-mail
According to Sophos, JS/QHosts21-A arrives in an HTML e-mail that displays the Google Web page. If you have enabled scripting on your PC (Internet Explorer and Microsoft's Outlook and Outlook Express e-mail clients enable scripting by default) and you have ActiveX security settings configured too low (or if you are running an out-of-date and/or unpatched version of Windows), the Trojan horse installs itself on your PC.
The Trojan horse then makes changes to the Hosts file, a component of Windows that your browser first looks to when it converts a domain name that you enter (such as "www.pcworld.com") into the IP address it needs to load a Web page.
By entering an IP address of the fraudster's choosing into your PC's Hosts file, and associating it with the names of bank Web sites, the phisher can force your browser -- any browser, not just Internet Explorer -- to go to a fake Web site that may look like your bank's, but isn't.
Then all they have to do is get you to log in, and the phisher has your username and password.
"These next-generation phishing scams don't use traditional methods, they don't try to lure you with an e-mail," says Graham Cluley, a senior technology consultant with Sophos antivirus. "Instead, they infect you with a Trojan, wait for you to visit a banking site, and then a keylogger grabs your password."
Under normal circumstances, most people do not have any IP addresses listed in their Hosts file, but the file exists just in case you might need to use it. And because most PC users are unfamiliar with the workings of the Hosts file, unless you're running special software that monitors the Hosts file for changes, you may never know it has been changed until it's too late.
Scam still very limited
JS/QHosts21-A has been seen in very low numbers in the wild, and currently is targeting banks only in Brazil, says Sophos's Cluley. He also notes that any up-to-date antivirus software should be able to catch the file. So why is it worth your attention? Because many security experts expect it -- and other, more advanced threats -- to wash up on U.S. shores soon.
"For the last few months, we've seen a growth in similar behavior," he says. "Unlike the rather crude rewriting of the Hosts file, which redirects you to a bogus site (which is what JS/QHosts21-A does), Brazilian hackers have been creating an army of Trojans designed to wait until you visit the real, bona fide banking Web site."
Once you visit a banking site, these Trojan horses spring into action. They launch a keylogger that captures your user name and password, and they also collect screen shots of the activity on your PC.
"In other words, no bogus Web site needs to be created at all (less hassle for the hackers, and less chance of there being clues in the creation of the bogus Web site), and they rely on users doing exactly what we tell them to do -- visit the real, legitimate Web site," Cluley says.
Scam will soon target U.S. bank customers
So far, these threats have focused on three Brazilian banks -- Banco Bradesco SA, Caixa, and Unibanco Holdings SA -- and their customers in Brazil, Australia, and the United Kingdom, Cluley says, but he expects them to target U.S. users soon. "It may only be a matter of weeks away from targeting U.S. customers," he says.
Alex Shipp, senior antivirus technologist with MessageLabs, the company that discovered the JS/QHosts21-A threat (though Sophos is the only company referring to it by that name), agrees that the threat is likely to spread. "Right now, phishers are trying this technique out to see how well it works," he says. "If it works in Brazil, we'd expect to see it move all around the world within a month."
The good news for users is that these threats -- like all phishing scams -- are preventable. Experts recommend running antivirus software and updating it frequently, as well as installing a personal firewall.
How to repair affected PCs
To prevent the Trojan horse from attacking, PC users should keep their versions of Windows and Internet Explorer up-to-date with Microsoft's security patches, and consider using an alternative browser. However, it's important to note that once your computer has been compromised, the modified Hosts file will affect any browser you use on the infected PC, not just Internet Explorer.
If you've already been infected with JS/QHosts21-A, you may need to manually change your Hosts file back to its original format, says Dave Jevans, chair of the Anti-Phishing Working Group. If you're running Windows XP, you can modify the file (which is located at C:\WINDOWS\system32\drivers\etc\hosts) by opening it with a text editor, such as Notepad, WordPad, or Microsoft Word. For the JS/QHosts21-A exploit, the following entries will be visible in the file, Jevans says:
If you see those entries, delete them, save the file, and reboot your system, he says.
Preventing future phishing attacks
In addition to highlighting new methods that phishers are using, these threats are exposing the poor security in place at the Web sites of many banks and financial institutions, experts agree.
"If your bank is using a static user name and password, that's like leaving the key to your house under your doormat," says Jochem Binst, director of communications for Vasco Data Security International Inc. "Using static passwords online is just not secure enough anymore."
A system reportedly in use by many banks across Europe, two-factor authentication, seems to successfully thwart phishing, keystroke logging, and other attacks that steal passwords.
In addition to a user name and password you create, "you just get a list of passwords from the bank, which you can use once," says reader Jeroen Hoekstram, who lives in Germany and uses the system with his own online bank accounts.
When you need to log in to your bank account, you simply use one of the passwords provided by the bank, in addition to your own user name and password. After the first time a bank-provided password gets used, it cannot be used again, so even if your information is successfully phished, it is of no use to the scam artist who gets it.
"The system seems cheap and reliable, and indeed avoids the worries of malicious software," Hoekstram says. "Interestingly," he adds, "I use Citibank in Germany, and they use this system. I am curious why they would not use it in the U.S."
Online banks need a security boost
"Consumers should lobby their banks for better security. It's astonishing how many banks are still asking you to use the same password every time you log in," says Cluley. "They do it because its cheaper and easier for them. For proper security, you'd have a password that changes every time you log in."
Some companies in the United States are adopting two-factor authentication, but no banks have signed on as yet. America Online, notably, allows users to log in via RSA Security's SecureID Key Fob, which displays a six-digit code that changes every minute. Microsoft added broad operating system support for SecureID into Windows computers in an update several months ago.
"The current way most online banks are handling security is just wrong," Cluley says.
"Banks themselves need to look at how they do online banking. They're not doing much today to protect the end consumers. I would love to see financial institutions using two-factor authentication mechanisms," McGrath says. "I'm not aware of any of the big banks who are doing this, and some are not even taking the basic steps for security, like timing out accounts," he adds.