"It's no longer a HTML page with 20 different images," he told SCMagazine.com today. "It's just one file. It looks exactly the same. If you're not careful, you won't be able to tell the difference."
Users can be tipped off that they are viewing a Flash site if they right click on the page, which reveals some program options, Hypponen said.
"This [technique] seems pretty efficient until the URL becomes known [to blacklists], but in the meanwhile, it works," he said.
Avivah Litan, a Gartner analyst who specialises in phishing research, told SCMagazine.com that new schemes such as this one highlight the need for better protection than phishing filters can offer.
"The crooks are always one step ahead of our technology, and this is another proof of that," she said.
She said the burden falls on internet service providers, domain registrars and browser and email service providers to create and manage an identity layer on the web.
Researchers are hoping that planned high-assurance, extended validation SSL certificates will better assure a site's legitimacy, Litan said.
But Steven Myers, assistant professor of informatics at Indiana University, Bloomington, said phishing attacks have gotten so sophisticated, users should assume "phishers are going to control what shows up on your screen."
Litan said organisations will not get serious about internet security until a cyberattack to the degree of the events of 11th September 2001 occurs, whether that is a mass posting of private information or the widespread takedown of online financial institutions.
Click here to email reporter Dan Kaplan.
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
