You know all about phishing scams, right? You know better than to click on a web link embedded in an email that purports to be from your bank, or to reply to messages requesting your user name and password. But if you think that's enough to protect yourself, think again.
A phishing scam currently spreading online works without your ever having to click on a link; all that's required to activate the scam is for you to open the email. And, many security experts warn, this threat may be a sign of things to come.
"This style of attack is new and old at the same time. It's a common approach that virus writers take, but it's new with regard to phishing attacks," says Jim McGrath, senior director of security management products for NetIQ. "Phishers are trying to use the techniques that have been very successful for virus writers. It's a new and dangerous trend."
The current phishing scam, which has been labeled JS/QHosts21-A by antivirus vendor Sophos, is an example of this kind of blended threat. In this case, the scam involves a Trojan horse that combines with an ActiveX vulnerability in Windows to install itself on your machine invisibly, without warning.
According to Sophos, JS/QHosts21-A arrives in an HTML email that displays the Google Web page. If you have enabled scripting on your PC (Internet Explorer and Microsoft's Outlook and Outlook Express email clients enable scripting by default) and you have ActiveX security settings configured too low (or if you are running an out-of-date and/or unpatched version of Windows), the Trojan horse installs itself on your PC.
The Trojan horse then makes changes to the Hosts file, a component of Windows that your browser first looks to when it converts a domain name that you enter (such as "www.pcadvisor.co.uk") into the IP address it needs to load a web page.
By entering an IP address of the fraudster's choosing into your PC's Hosts file, and associating it with the names of bank websites, the phisher can force your browser – any browser, not just Internet Explorer – to go to a fake website that may look like your bank's, but isn't.
Then all they have to do is get you to log in, and the phisher has your username and password.
"These next-generation phishing scams don't use traditional methods, they don't try to lure you with an email," says Graham Cluley, a senior technology consultant with Sophos antivirus. "Instead, they infect you with a Trojan, wait for you to visit a banking site, and then a keylogger grabs your password."
Under normal circumstances, most people do not have any IP addresses listed in their Hosts file, but the file exists just in case you might need to use it. And because most PC users are unfamiliar with the workings of the Hosts file, unless you're running special software that monitors the Hosts file for changes, you may never know it has been changed until it's too late.
JS/QHosts21-A has only been seen in very low numbers so far, and currently is targeting banks only in Brazil, says Sophos's Cluley. He also notes that any up-to-date antivirus software should be able to catch the file. So why is it worth your attention? Because many security experts expect it to spread further.
"For the last few months, we've seen a growth in similar behaviour," he says. "Unlike the rather crude rewriting of the Hosts file, which redirects you to a bogus site [which is what JS/QHosts21-A does], Brazilian hackers have been creating an army of Trojans designed to wait until you visit the real, bona fide banking website."
Once you visit a banking site, these Trojan horses spring into action. They launch a keylogger that captures your user name and password, and they also collect screen shots of the activity on your PC.
"In other words, no bogus website needs to be created at all (less hassle for the hackers, and less chance of there being clues in the creation of the bogus website), and they rely on users doing exactly what we tell them to do – visit the real, legitimate website," Cluley says.
"It may only be a matter of weeks away from targeting customers [in other countries]," he says.
Alex Shipp, senior antivirus technologist with MessageLabs, the company that discovered the JS/QHosts21-A threat (though Sophos is the only company referring to it by that name), agrees that the threat is likely to spread. "Right now, phishers are trying this technique out to see how well it works," he says. "If it works in Brazil, we'd expect to see it move all around the world within a month."
The good news for users is that these threats – like all phishing scams – are preventable. Experts recommend running antivirus software and updating it frequently, as well as installing a personal firewall.
To prevent the Trojan horse from attacking, PC users should keep their versions of Windows and Internet Explorer up-to-date with Microsoft's security patches, and consider using an alternative browser. However, it's important to note that once your computer has been compromised, the modified Hosts file will affect any browser you use on the infected PC, not just Internet Explorer.
If you've already been infected with JS/QHosts21-A, you may need to manually change your Hosts file back to its original format, says Dave Jevans, chair of the Anti-Phishing Working Group. If you're running Windows XP, you can modify the file (which is located at C:\WINDOWS\system32\drivers\etc\hosts) by opening it with a text editor, such as Notepad, WordPad, or Microsoft Word.
For the JS/QHosts21-A exploit, the following entries will be visible in the file, Jevans says:
If you see those entries, delete them, save the file, and reboot your system.