Some phishing gangs have a new technique. They're
using trojan-spy applications.
Last
week we received the following e-mail message:
Notice that the message doesn't
mention anything about providing an account-name
or password.
Instead, it attempts to
convince the recipient that they need to install a
Digital Certificate for enhanced safety. (Anybody
want to buy a bridge?)
The message
links to a site with the following:
It's basically a page full of jargon
designed to overwhelm the potential victim. What
happens if the victim falls for the bait and
installs the "certificate"? A trojan-spy will be
installed.
So now the phishers don't
need to ask for passwords anymore, they can just
take them.
This technique keeps the
classic element of phishing by mimicking the
trusted institution — the bank. What they've
adjusted is the part that people have become
skeptical of, which is giving away their password
when requested by e-mail.
