Consumers should lobby their ISPs to adopt aggressive filtering technology to cleanse email of phishing and spam attacks before it reaches their home PCs, a security expert said today.

Phishing emails now comprise more than half of all malware intercepted by security firm MessageLabs, the company said in its latest quarterly security report, and phishing techniques are becoming increasingly sophisticated. 

Mark Sunner, chief technical officer at MessageLabs, told vnunet.com that the best protection is not more stringent end-user security, but filtering by ISPs at the internet level. 

Phishing accounts for 52 per cent of malware, up from 30 per cent in August and 20 per cent in July.

Botnets sending out spam and phishing emails are programmed to avoid segments of the internet where MessageLabs filters are active, according to Sunner.

But where MessageLabs has set up 'honeypots' of seemingly unprotected PCs, the rate of phishing is close to 90 per cent.

"The huge jump is probably because the phishers are making hay while the sun shines and targeting banks which do not yet have two-factor authentication," said Sunner.

European banks have been moving from simple password protection to two-factor authentication based on a password plus a number generated for a single online banking session.

Examples of these systems include a random number generator given to account holders, a series of scratch-off numbers on the account statement or a number delivered on-demand by SMS.

But Sunner warned that two-factor authentication is not the 'silver bullet' that banks assume it to be.

MesageLabs has seen key-capture Trojans specifically targeted at banking sites which only activate once the customer has gained access to the banking site.

The Trojans then enable the session to be remotely hijacked and funds siphoned off into another account.

"So far this looks like a proof-of-concept and we have not seen it used in earnest," said Sunner.

Phishers are also harvesting information from other sites so that they can target only the known account holders of a certain bank. MessageLabs warned of more sophisticated spam and phishing attacks early in September.