Phishing twist relies on bogus blogs

A new form of phishing is taking shape and riding on the growing popularity of blogs, security company Websense said Tuesday.

Malicious virus writers are attempting to lure people to malicious blogs using enticing e-mails and instant messages, according to a new report from Websense. Once a person arrives at the blog, which can be posted on a legitimate host site, the victim's computer becomes infected with software designed to steal sensitive information, such as passwords and bank account information.

"These aren't the kind of blog Web sites that someone would stumble upon and infect their machine accidentally," Dan Hubbard, Websense senior director of security and technology research, said in a statement. "The success of these attacks relies upon a certain level of social engineering to persuade the individual to click on the link."

In the past four months, Websense has detected hundreds of cases where blogs were used to store malicious code and infect users' computers. Malicious virus writers are attracted to blogs not only because the medium's popularity is growing, but also because of the free storage often provided by the host site and the lack of antivirus protection provided for these posted files.

Websense said that as of Tuesday, there are 210 active bogus blogs. The company also notes that the average lifespan of one of these blogs is three or four days.

In one recent case, Websense found a spoofed e-mail that tried to lure people to a malicious blog that would run a Trojan horse. The e-mail looked like it came from a popular instant-messaging service, and it tried to entice the recipient to click on a link to get a new version of its IM program. But when people clicked on the link, it directed them to a blog that hosted keystroke-logging software to steal their passwords when they accessed certain online banking sites.

The use of blogs is just the latest twist on phishing techniques. Other phishing offshoots include cross-site scripting and DNS poisoning.