I guess this isn't really phishing, but it's the most complex exploit I've seen.
Last night and today I received several bounce messages, each containing a zip file that I purportedly sent to myself. The bounce messages didn't smell quite right, since they lacked copies of the original headers in the bounce message. Of course I discarded the entire message including the zip file immediately — I wasn't about to run a virus.
All the bounces theoretically had originated somehow with Pobox, the service I use to "wash" my email and stem off some of the flood of spam. And that should have raised a red flag, because pobox generally has impeccable bounce messages. And looking back after the fact, I can see that all the bounces were forged bounces.
Forged bounces? Why send forged bounces?
Part 2 of the exploit just arrived, a message "from pobox" which states:
> Your account was used to send a large amount of junk email messages during this week.
> Obviously, your computer was compromised and now runs a trojaned proxy server.
>
> Please follow our instruction in order to keep your computer safe.
and includes a zip file -- which, by the way, doesn't trip online spam detectors. The message immediately tripped my internal bogosity detectors, and that's when I noticed that the message didn't originate with Pobox.
I've notified pobox, but this is the most sophisticated phishing expedition I've seen -- even if it doesn't technically count as phishing. The goal is to get the recipient to open the zip file included in the bounce messages.
It's clever, and I suspect it will be very effective. I've seen it against Pobox, but I'm starting to get bounce messages that lead me to believe it's about to be launched against other sites as well.
Further information, added 07-27: It seems that this worm is a variant of My.Doom, and it actually is not a coordinated attack; it's just a coincidence that I got the bounce messages before I received the your-machine-is-compromised messages. I wonder how long until we see more sophisticated, coordinated attacks?