In his blog security researcher Aviv Raff says a spoofing vulnerability means URLs directing users to fake sites look like they are from trusted domains when viewed through the iPhone's mail or Safari browser applications.

"By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain," says Raff in his blog. "When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain."

IPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by the vulnerability, but Raff warns earlier versions may also be affected.

In addition, a security design flaw means the iPhone's Mail application is also spammable, says Raff.

He says Apple has acknowledged the problems and is working on a fix. In the meantime Raff advises users to avoid clicking on links in the Mail application and enter the URL manually.

In separate phishing news, a Romanian man accused of being part of an international phishing gang has pleaded guilty to a charge of conspiracy to defraud with access devices in a US District Court in Bridgeport, Connecticut.

Ovidiu-Ionut Nicola-Roman, 22, of Craiova, Romania, was one of 38 people accused of being part of an international crime ring that allegedly used spam e-mails to steal bank account details and passwords from thousands of customers.

Nicola-Roman, along with six other Romanians, was charged in a District of Connecticut indictment for his roles in the scam in January 2007.

He was also one of 33 charged by a federal grand jury in Los Angeles in a 65-count indictment, according to the US Department of Justice.

The US Attorney's Office for the District of Connecticut says that in pleading guilty, Nicola-Roman admitted that he participated in the phishing scheme, accessed e-mail accounts containing stolen credit card information and that the stolen numbers were used to obtain money unlawfully.

Nicola-Roman, who was arrested on an Interpol warrant in June 2007 in Bulgaria, is scheduled to be sentenced in October and faces a maximum prison term of five years and a fine of up to $250,000. He still faces similar charges in California.

The investigation into the gang stemmed from a complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People's Bank. In fact, the message directed victims to a computer in Minnesota that had been hacked and used to host a counterfeit People's Bank Internet site.

Investigators say the gang engaged in similar phishing schemes against other firms, including Citibank, Capital One, JPMorgan, Comerica Bank, Wells Fargo, eBay and PayPal.

According to the Los Angeles indictment, gang members based in Romania obtained thousands of credit and debit card accounts and related personal information through phishing. The DoJ says the gang unleashed more than 1.3 million spam e-mails in one phishing attack.

The Romanian "suppliers" then sent the data to US-based "cashiers" via Internet chat messages. The cashiers used encoders to record the stolen information onto the magnetic strips on credit and debit cards.

Seuong Wook Lee, a cashier in the scheme, pleaded guilty on May 15 to racketeering conspiracy, bank fraud, access device fraud and unauthorised access of a protected computer, says the DoJ.