ZDNet News reports that a security flaw in Google’s search appliances could expose Web sites that use the products to phishing attacks. The Google Search Appliance and Google Mini are used by numerous companies, including banks and universities, to add search features to Web sites. However, a Google flaw, which impacts the way the systems handle certain characters, makes it easy for phishers to create a Web link that appears to point to a trusted site. However, the link actually directs users to a malicious site.

Google discovered the problem last week, said a Google spokesperson in an e-mail Monday. “We have notified all customers and provided them with clear instructions on how to protect their appliances,” he wrote, adding that no Google Search Appliance or Google Mini users have reported any exploits of the flaw. The vulnerability will be addressed in the next release of the products, he said.

Jon Swartz of USA TODAY reports that a new batch of phishing scams are using phones instead of computers to con people into giving up their personal information. Vishing (voice phishing) has emerged as a new threat as more and more people use Voice over Internet Protocol, technology that allows cheap and anonymous Internet calls.

Many vishing scams start with an email that appears to come from PayPal or eBay, warning recipients about a problem with their account. Victims are instructed to call a number to verify basic data. The number records data with the intent to steal it for financial gain. Other vishing scams are done without emails. Victims are called out of the blue by a con artist, who already knows their credit card number, and asked for the three-digit security code on the back of the card.

Experts warn that phishing messages and websites are becoming increasingly sophisticated. One recent phishing attempt warned customers about phishing and asked them to update their information to ensure that they would be protected from phishers. To assure wary users, the legitimate 800 phone number of a targeted company was included in the message.

“This is slick stuff,” says Ron O’Brien, senior security analyst at computer-security firm Sophos. “But as long as it works, expect more.”

CBC News reports that online criminals are taking advantage of the popularity of the Oprah Winfrey Show to rip off the identities of consumers. Phishers are emailing “invitations” to fans, purporting to be representatives of the show and offering “VIP Guest Seat” tickets to the show for $550 to $950. Recipients are asked to send their name, address, age and profession, and told to wire money to an unidentified third party.

“With the large number of Oprah’s fans worldwide, we are concerned that their excitement at the opportunity to attend a taping of her TV show may result in fans responding to this unauthorized offer,” says Illinois’s Attorney General Lisa Madigan.

The Oprah Winfrey Show does not sell tickets. It takes reservations to attend tapings for free.

A newly discovered phishing scam uses computers belonging to both a medical transcription outsourcing company and the Government of Malaysia. According to PC World Magazine, the scam was discovered by a San Diego engineer and volunteer antispam activist, who received an email that purported to be from eBay’s PayPal service.

The email utilizes a popular phishing pitch: “It has come to our attention that your account information needs to be updated. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.”

The unusual part of the scam was that the link in the e-mail went to a fake PayPal site hosted by servers in the Malaysian government’s gov.my domain. “This one was interesting because of the Malaysian angle. A government server usually gets my attention,” Carton said.

Closer investigation revealed that computers from Rxdocuments, another trusted source, had been used to send out the phishing e-mail. Rxdocuments.com provides dictation transcription services for physicians. the first time that the gov.my Web site been used by phishers. It has been used at least four other times since April of this year to spoof brands such as Chase, Citibank, and eBay.

According to ComputerWorld.com, antiphishing toolbars may be ineffective. A report from SSmartWare Consulting suggested that Mozilla’s Firefox 2.0 had the best antiphishing capabilities, while a month ago a report from 3Sharp LLC claimed Microsoft’s Internet Explorer 7.0 was better. Of course, each report was sponsored by the companies — and Microsoft — that won in each test.

By contrast, a new study, Finding Phish: An Evaluation of Anti-Phishing Toolbars, was conducted by independent researchers at Carnegie Mellon University, backed by organizations such as the US National Science Foundation and the US Army Research Office. The browsers had nothing to do with the research.

The study tested ten browser toolbars, including Microsoft Explorer 7, eBay, Google, Mozilla, and McAfee’s SiteAdvisor. Even the best of the bunch — Mozilla, Google, and Explorer 7 — detected only 85% of fraudulent websites, a decent but far from secure level of effectiveness. “Overall, we found that the antiphishing toolbars that were examined in this study left a lot to be desired,” the authors concluded. “Many of the toolbars we tested were vulnerable to some simple exploits as well.”