Phishing. Now there's another new word given birth by the Internet, and a new type of scam looking to separate you from your bank account.

Phishing (pronounced as "fishing", as in hooking you into a scam) refers to scams, mainly done through e-mails, that fool customers of a particular bank into divulging their personal and financial information. The e-mail arrives, you think it's from your bank, so your brain turns off. A link takes you to what you think is your bank's website, where you are asked to confirm your credit card number and password. You've been phished.

I've received such e-mails. You probably have. The problem is of particular concern because there is a known flow in Microsoft' s Internet Explorer that allows the thieves to mimic legitimate financial sites, the ones that the phish e-mail takes you to.

The flaw was disclosed last year, but so far Microsoft has yet to release a patch. The flaw allows an identity thief to control the information displayed in the address bar of Explorer's browser window. So you may think you are looking at Bank of Bermuda's site at www.bankofbermuda.com because the address in your browser gives the correct link. Instead you may be looking at a criminal website, a web to trap you.

Such a forged site was used to entice people into visiting a fake version of Citibank's website, where some entered their personal identification and credit card account numbers. They had believed an e-mail that said Citibank had suffered problems with its data storage due to fraud activity. The e-mail asked them to click on a link so they could sign in and check their account balances. PayPal, Earthlink and two British financial institutions were also hit by similar scams.

Go to www.anti-phishing.org for updated warnings on such scams. About five percent of those who are actual customers of a company targeted by a phish get trapped by such scams, according to Tumbleweed Communications (www.tumbleweed.com). Tumbleweed, and the Anti-Phishing Working Group (yes, one exists) recently released the results of analysis of phishing scam attacks for the last three months of 2003.

The analysis found that 90 unique e-mail fraud and phishing attacks were sent out over the last three months of 2003. The thieves were taking advantage of the holidays. One example was a fake online Christmas card, designed to compromise AOL accounts. In this scam, the recipient receives a spoofed e-mail from the "AOL Hallmark" and is asked to visit a website to pick up his/her card. In order to access the site (which is run by the scammer), the user is asked to log in to his or her AOL account, thereby divulging the account name and password. The compromised account can then be used to launch further phishing attacks, virus attacks, spam, or other frauds. "Phishers can now spoof the email address, website graphics, website address, and even the SSL-lock icon in the Web browser," Tumbleweed warned.

Last week it was the Bagle/Beagle mass e-mail worm attacking computer systems, this week it's the turn of "Mydoom", "Novarg" or "WORM-MIMAIL.R" as it's called. Novarg is spreading so fast that was replicating itself so quickly that some corporate networks had to be shut down. The worm attacks computers running Microsoft Windows operating systems. W32.Novarg.Amm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr or .zip. When a computer is infected, the worm will set up a backdoor into the system potentially allowing an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files. Go to Symantec for information on how to remove Novarg if you've been hit.

Contact Ahmed at editor@offshoreon.com