Look out. Phishing attacks are starting to use zero-day exploit code.

Two days after the Internet Explorer VML zero-day exploit code was released, phishers used it in their attacks, says Tod Beardsley, lead counter-fraud engineer at TippingPoint.

"That's unusual... Phishers don't usually take the bleeding-edge." But thanks to the increasingly popular WebAttacker hacker tool, which quickly added the VML bug to its repertoire once it was made public, attackers got the zero-day feature in their tool updates, he says.

Even so, most phishing attacks today are still the same old, same old: Poisoned links in fake emails and fake Websites, according to the latest phishing trends data gathered in the last year by TippingPoint from its own and other sources. Keystroke loggers delivered via email links or sometimes attached directly to a message, are still prevalent, too.

"The surprising part of this was how much more of the same it is," Beardsley says. "Fake email and fake Websites are still very effective."

And now there's a public clearinghouse for phishing emails and URLs: OpenDNS today launched its long-awaited PhishTank site, where users and Web developers can post and track phishes. (See DNS Gets Anti-Phishing Hook.) It's a neighborhood watch of sorts for phishing exploits.

"There's been no feedback loop for consumers," says David Ulevitch, president of OpenDNS, which is hosting PhishTank. "With PhishTank, you can be part of the process to clean up the Net."

"If you give your phish to one vendor, every other company loses out. PhishTank is totally open," Ulevitch says. That puts app developers on equal footing, too. "Now you don't have to pay Symantec, for example, to get access to phishing data to make your application more intelligent."

OpenDNS will release Outlook and Thunderbird email plug-ins soon as well, so a user's email package will automatically verify phishing emails based on PhishTank's database. OpenDNS is also making its free PhishTank API available to developers who want to interface to the site and its phishing data.

Meanwhile, phishers still prefer the easy way out, TippingPoint's Beardsley says, although tools like WebAttacker are putting more sophisticated features at their fingertips. "We expect to see good use of XSS in the near future for combining browser vulnerabilities in XSS using very popular Websites like YahooMail and MySpace, for instance."

Over 85 percent of phishing servers today are Apaches running PHP, according to TippingPoint's findings. "These are the preferred Web servers for phishers to compromise," he says. With PHP, "an attacker can upload his own custom content, which is ideal for phishing. And PHP module administrators haven't traditionally been quick on patches."

Most PHP machines belong to hobbyists, Beardsley says, and these tend to get "owned" the most by phishers.

"One person tricking another has existed for all time," OpenDNS's Ulevitch says. "You can't get rid of it altogether, but you can make it harder by raising the bar."

— Kelly Jackson Higgins, Senior Editor, Dark Reading