A new phishing attack is being used to hook unwary web users, the Anti-Phishing Working Group (APWG) has warned.

When a phishing victim clicks on a link in an email pretending to come from their bank or another company, they are sent to a fake website which will then try to steal bank account details or other information.

The APWG said this new method does not make use of the Internet Explorer flaw used in previous attacks, but extends a similar visual effect to multiple browser platforms.

The new trick uses software that detects the user's browser and applies custom JavaScript to replace the look and feel of the web address bar with an appropriately designed working fake, to fool people into thinking they are visiting a legitimate site.

"When a user clicks the link in the email they have no way of knowing they've been taken to a fake site," an APWG spokesman told vnunet.com.

"If you were to type in a new web address in the fake address bar, it will load the new requested page."

The second issue with a fake address bar is the possibility for a 'man in the middle' attack, where every subsequent website visited, and any passwords or credit card numbers entered, could be sent to the phisher until the browser window is closed.

"We've seen about 30 unique attacks using this basic source code since 25 February 2004," said the APWG spokesman.

"This is the first evolution that is programmed to automatically detect the browser type and selectively replace the address bar with a look and feel that matches, and functions.

"This variation was first seen on 31 March and, as yet, we haven't seen it repeated. But we expect this won't be the last."

The spokesman added that phishing seems to be following the same pattern as viruses and worms, where one group develops the original version and others re-purpose successful code and enhance it further.

Phishing attacks are increasing in frequency and sophistication. February recorded the busiest month with 282 email attacks, a 60 per cent rise on January's record total, according to the APWG.

And the group warned: "Even veteran users are having a really hard time telling real from fake without diving into the source code of a message or web page.

"Consumer education will only work to a point - and that point is diminishing."