A simple phishing attack could redirect victims to fraudulent sites nearly undetectably, according to a recent analysis.
The attack, triggered when a victim runs a Trojan horse, changes the victim's domain-name servers to point to attacker-controlled servers and then deletes itself, stated an analysis of the code by security firm Websense. The malicious code is sent to potential victims under the guise that it is a security update for Paypal. Instead, the program replaces the PCs domain servers with attacker-controlled ones that redirect requests for Paypal to a phishing site that steals the user's sensitive information.
The technique could cause headaches for some anti-phishing software. Traditionally, malicious programs have changed the hosts file on the system, which is fairly easy to defend against and detect, even after infection. By only taking an action that a legitimate user might and then deleting itself, the latest attack tool makes changes that are much more difficult to detect.
The development comes as law enforcement are increasingly cracking down on bot herders and Internet fraudsters. While more Internet service providers are pushing anti-phishing efforts, the scam artists are obviously adapting.
Posted by: Robert Lemos