UK security outfit SecureTest is warning of a new twist on the familiar phishing scam, in which fake e-mail order confirmations direct recipients to a Web server that writes a malicious file to the user's PC.
The e-mail, a bogus order confirmation for an IBM Laptop PC, tells the recipient that their bank account has been debited for £1099.99 and provides a link to check or cancel the order. Following the link leads to a Web server which exploits an unpatched weakness in Microsoft's Internet Explorer to write a potentially malicious file to the user's hard drive.
Ken Munro, managing director at SecureTest, says the malicious code exploits a known threat which is listed by some of the major anti-virus vendors.
"The danger here is in the new format for the scam, and the new form of social engineering," he says. "Many people, on receiving an e-mail saying their bank account has been debited for £1099.99 will at least click on the link and take a further look."
News of this new variant of the phishing scam coincides with the release of the latest data from the Anti-Phishing Working Group highlighting the increasing prevalence of the threat. APWG says it recorded 1125 different e-mail scams in April, nearly tripling from March, with Citibank the most popular attack target.