April 28, 2005Not All Phish Messages Are Harmless
I've looked through the source code of probably hundreds of phishing messages through the years, and don't recall ever encountering one that wasn't essentially harmless to view, even in HTML. A little importing of the financial institution's logo art and a hidden URL to a phony login site, and that was it.
The Subject: line was like so many others that float around the Internet: Urgent Safeharbor Department Notice. Safeharbor is an eBay thing, so this was going to be yet another eBay phishing message. But lurking in the body was a virus loader that fires (in the right environment) upon viewing the message in HTML form.
After doing some checking, I found that the potential infection is for a rather old virus, called VBS.Redlof.A This virus dates back to the era (all of three years ago) when viruses were mostly written and distributed by precocious youngsters, earning them the name "script kiddies." Most of these idiotic tricksters were interested in seeing how far and how quickly their inventions could spread.
Those days are gone, but their viruses live on in some computers around the world. Such computers either have absolutely no virus protection, or they haven't updated their virus definitions since early April of 2002.
The phishing message that contained the Visual Basic Script loader for the virus (requiring a Windows computer to execute it, by the way) was sent through a zombie PC. It's not easy to tell if the zombie is infected with the virus or if the phisher who generated the message is. Whoever is infected, the virus turned the HTML code for the message into an unsolved Rubik's Cube—pieces chopped up and distributed all over the place within the document.
But the lesson is clear: Messages you may have thought could be harmless are not necessarily so. With so many phishing messages not only going out but being opened by recipients, I had been waiting for a sign of this kind of exploitation for awhile. In this case, I believe it was unintentional (somebody in the chain doesn't know that his or her computer is hosed). But phishing messages and the sites they lead to could become a huge vector for all kinds of nastiness, even if you just open the message and visit the phony site without logging in.
The same safety rules I supply in Spam Wars apply to phishing messages. The infected message I received today indicates that everyone needs to take this stuff seriously.Posted on April 28, 2005 at 09:05 AM