Traditional e-mail phishing exploits are still growing in numbers, but they seem almost tame compared with newer, more virulent malware used by cybercrime rings that trade in financial account information.

These increasingly sophisticated and organized groups are using such tricks as keystroke loggers, browser redirectors and trojan horses to harvest, store and sell stolen information. And they're using automated, untraceable armies of botnets to help.

"Phishers have begun to specialize in malware, which we think is going to be a continued push. Some specialize in payload. Others specialize in delivery. This is a business for them, and they treat it as such. It's all become very sophisticated," says Brad Keller, e-commerce business risk manager at a bank.

"We're at the stage, technologically, where the criminals are ahead of us, and I don't see that gap closing anytime soon," adds George Rapp, senior vice president and director of IT for an online commercial and retail bank.

This bank has more than 50 percent voluntary adoption of multifactor authentication among its user base. Most have opted to use memory-phrase authentication (such as first pet's name, elementary school name or something else only they would know), with a small percentage of more technical users opting to pay $US25 a year for RSA Secure Tokens.

In the next few months, Rapp plans to require multifactor authentication for all users. Even then, he says, he's still worried about "man-in-the-middle" attacks that would let malware manipulators get at account data during the authenticated session.

His concern is well founded. In February, iDefense, a VeriSign-owned security intelligence company, began tracking a growing botnet called MetaFisher. By mid-March, when iDefense reported it to the public, MetaFisher had affected more than a million account holders, most of them European.

MetaFisher transfers bank account information during open connections, which raises concerns among security experts that phishers have already foiled the industry's best planned defences -- multifactor authentication and guest integrity checks on consumer PCs -- even before companies like the banks can deploy them.

The high cost of phishing

The stakes are high for both sides. Phishers make good money from traditional and automated techniques, which Gartner says conservatively cost consumers and businesses $US2.7 billion in the first half of 2005. As phishers haul in their illicit gain, businesses stand to lose their e-commerce communications and revenue channels altogether.

Of 5000 consumers surveyed, 42 percent say they've curbed their online shopping because of phishing fears, according to the Gartner study. Meanwhile, confidence in e-mail is at an all-time low, as 80 percent say they distrust e-mail claiming to be from brands they know.

At the very least, if trust is not restored, Gartner predicts phishing and similar crimes will slow Internet growth between 1 and 3 percent through to the end of 2008.

"What you've got here is the perfect storm: a global network worth trillions of dollars offering near-perfect anonymity, instant connectivity to millions of easy marks and countless ways to launder money," says Marcus Sachs, who directs the cybersecurity research centre at the US Homeland Security Department.

"Everything right now is working in favour of the criminals. There's not enough trained law enforcement. And the infrastructure itself is not reliable enough for the load we've put on it," Sachs adds.