The 10 Biggest Security Risks You Don't Know About

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

1 2 3 4 5 6 7 8 9 10 11 Page 4
Page 4 of 11

Phishers Co-Opt Legitimate Sites

Danger level: High | Likelihood: High | Target: All Internet users

Phishing is one of the most lucrative computer crimes, and it continues to grow rapidly. In April 2006 the number of unique new phishing sites spiked to a record 11,121, almost four times the 2854 sites found in April 2005, according to the most recent report from the Anti-Phishing Working Group.

You might expect phishers' fake sites to be easy to recognize by their amateurish spelling mistakes or broken Web graphics. But these days few phishers try to re-create entire bank-site pages by hand. Instead, modern scammers operate sophisticated server-side software that pulls all of the text, graphics, and links directly from the target bank's live site. All of the queries you input go to the real site--except your log-in data. That choice information goes straight to the bad guys.

Some phishing sites have become so smooth that they can even trap cautious and experienced Web surfers. In their "Why Phishing Works" study published in April, experts at UC Berkeley and Harvard presented test subjects with Web sites and had them look for the fakes. As it turned out, "even in the best-case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate Web site from a spoofed Web site," the report states. "In our study, the best phishing site was able to fool more than 90 percent of participants."

Browser Redirects Below the Radar

The key for the phisher is to inveigle you into visiting the bogus site. You may be well conditioned not to trust an e-mail missive purporting to be from your bank and asking you to click a link to check your account details. But phishers today are adopting more forceful means to push your browser to their sites.

A malware-enabled technique called smart redirection secretly sends your browser to the scammer's Web site even if you manually type your bank's correct Web address into the browser. Malware on your machine monitors the availability of dozens or hundreds of duplicate fake bank sites, hosted on computers around the world, and redirects your browser to an available fake site whenever you attempt to reach your bank. And if authorities subsequently close down one site, the smart redirection software on an infected system simply sends the victim to a destination site that has eluded shutdown.

As long as there's money to be made, criminals will continue to hone their phishing skills and to develop new techniques. And there's plenty of money to be made. "Good, credentialed credit card information sells for $70 a card," says Michael Rothschild of security hardware maker CounterStorm. The phishers can even sell your data twice: "They can sell the credit that's left on the card, and they can sell the identity," he says.

How It Works: Ultraslick Lures Set Out to Catch the Wary

Illustration: Steven Lyons

  1. A well-informed, careful user manually types a bank URL into the browser address bar.
  2. Malware on the computer redirects the user to a live phishing site.
  3. By pulling text and images from the live bank site in real time, the phishing site looks just like the actual thing.
  4. The sophisticated phisher fools even the careful user, who types in his or her bank account log-in.


  1. Don't trust an unsolicited e-mail message from any company, no matter how good it looks. The best phishing sites and scam e-mail messages lack obvious flaws.
  2. Type in your bank's URL yourself or use a bookmark; avoid clicking an e-mail link.
  3. Look for a padlock icon, which indicates a secure site, in the browser's toolbar, not the Web page.
  4. Use one of the many available antiphishing toolbars that can warn you when you encounter a known phishing site. Netcraft offers one popular free toolbar; Tom Spring looks at others in his Spam Slayer column "Fight Fraud and Phishing With New Tools."
1 2 3 4 5 6 7 8 9 10 11 Page 4
Page 4 of 11
Shop Tech Products at Amazon