Phishing attacks will use more sophisticated social engineering, targeting consumers for financial and identity theft and businesses for intellectual property theft.
This is the main conclusion of the August 2006 global malware report released today by security firm MessageLabs.
The days of crude phishing emails which consumers have learned to spot are coming to a close, warns the report.
Cyber-criminals are now developing personalised approaches that ape legitimate businesses' customer relationship management techniques, or 'victim relationship management'.
"The latest wave of phishing attacks uses social engineering techniques by harvesting personal data from social networking sites like MySpace," said Mark Sunner, chief technical officer at MessageLabs.
"You will be sent an email personally addressed to you from your bank with your correct address and postcode."
MessageLabs has detected a steady increase in this kind of attack since December 2005.
Spam and virus outbreaks are flat overall, barely increasing or slightly decreasing since last month, the report found.
This is to be expected, according to Sunner, because virus outbreaks are almost directly proportional to spam attacks.
Cyber-criminals use viruses with trojan payloads to recruit zombie PCs and assemble them into botnets from which to launch spam attacks.
At the peak of virus activity in the summer of 2004, botnets of 100,000-plus zombies were a common occurrence, but botnets now average 20,000 PCs or fewer, said Sunner, as the cyber-criminals attempt to avoid detection.
Nevertheless, more people than ever are duped by these more sophisticated lower-volume attacks. Spam now represents one in 321 emails intercepted by MessageLabs.
Businesses are being targeted with sophisticated one-off trojans hidden in Office documents purporting to come from trusted sources.
These attacks target specific firms for the purpose of intellectual property theft and commercial espionage.
So what can be done to combat the growing phishing threat? The problem, according to Sunner, is that, while the cyber-criminals have evolved in sophistication, the security firms still rely on a 20 year-old business model of end-user patching.
Filtering has to be done at the Internet level before phishing-related spam arrives in email inboxes, he explained.
"Humans are becoming the weakest link in the security chain, but frankly it's unfair to put the onus on the customers," said Sunner. "More filtering has to be done at the 'cloud' level, i.e. by ISPs before it reaches their subscribers."
He added that other utilities work this way. "You don't have to purify your water supply for new bugs, so why should you have to do it with your Internet access?" he asked.
ISPs want to reduce customer churn and present themselves as more than a dumb pipe for internet access. This gives them the opportunity to offer a higher level of service, i.e. clean internet access, the report concluded.
Experts warn of devious phishing attacks
By Andrew Charlesworth on Sep 4, 2006 9:53AM