Security firm Aladdin, which identifies the new variant as JS.Feebs, notes that when the malware executed by an unwitting recipient its displays fake loading screens that looks like several popular search engines. This is followed by a false error message stating that there was no available connection. The scripts do this to mask their own activities which sometimes include disabling the system's antivirus and other security-related products as well as executing other malicious code.
This attack uses a modified HOSTS file to override the default DNS servers, allowing users' internet browsers to receive one address and lead to another. When users try to access eBay, for example, they are then unwillingly and unwittingly directed to a false site instead. No longer are such scams dependant on badly written phishing mails with suspicious links to do their work – the modified HOSTS file is all that is required.
"We see this new fraud attempt as an illustration of the growing presence of dangerous phishing scams," said Shimon Gruper, vice president of technologies for the Aladdin eSafe Business Unit.
"Although web attacks are more difficult to measure than email-related attacks, we expect this JS.Feebs variant to have a significant impact for infected users, as their browser no longer indicates they are visiting a phishing site. Thus, users are even more likely to provide their personal data, which then lands in the wrong hands."