Online security services firm MessageLabs is warning of a new phishing scam designed to capture online banking details without requiring customers to click on false links - they just have to open an e-mail.
MessageLabs says it has intercepted a number of e-mails which, when opened, surrepticiously run a script that attempts to rewrite the host files of targeted machines. This means the next time the user tries to log on to legitimate online banking services, they will be automatically redirected to a fraudulent Web site.
Alex Shipp, senior anti-virus technologist, MessageLabs, says: "By reducing the need for user intervention, the perpetrators are making it easier to dupe users into handing over the contents of their bank accounts.
"Most banks have advised their customers to be wary of any email asking for personal banking details, but in this case all they have to do is open an apparently innocent email and their bank details could be silently sabotaged."
So far, copies of emails targeting three Brazilian banks have been intercepted.
But MessageLabs says computer users that have Windows Scripting Host disabled are not at risk from this particular type of phishing attack.
Shipp says MessageLabs currently detects between 80 and 100 new phishing Web sites a day.
"It is a moving target, making it harder to identify and defend against. As ever, a combination of user education and the necessary levels of technology-based protection are essential," he adds.