Next Gen Phishing Improves on Simple Spam

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

Happened to us

[Exp315]

I'd call it hacking, not phishing, but this happened to us earlier this year. Our company web site at was hacked many times over a period of a month to insert code redirecting visitors to a Russian site that attempted to install a trojan. We knew that 's server was compromised because other users of the same server were also complaining about the same thing. 's reaction?: "We are aware of the problem and we are investigating". We abandoned our account there and moved to another web host after repairing our site every day (often several times per day) for a month.

Re:What the article lacked...an example

[aliendisaster]

E-Bay really did that to themselfs by allowing outside code on the auctions. I guess a prettier auction is more important than security for the millions of e-bay users.