One of 2005's biggest security stories will be ever-more-sophisticated phishing attacks that dupe not only consumers into divulging information, but target enterprises, that use not just e-mail to badger users into revealing identities, but make the browser do criminals' work.

Although 2004 may have been the year when phishing made waves and grabbed headlines, 2005 will be even worse, messaging and security analysts said Wednesday.

"Phishing will be a problem not limited to consumer mailboxes in the coming year," said David Ferris, an analyst with the San Francisco-based Ferris Research, in a statement. "Phishing attacks [in 2005] will attempt to steal organizational credentials, too," he added.

Scott Chasin, the chief technology officer from MX Logic, a Denver, Colo.-based messaging security firm, was even more pessimistic -- and specific -- about 2005's outlook.

"The nature of phishing will change to a more sophisticated technology as far as attacks are concerned," Chasin said. "Phishing will move away from e-mail distribution tactics to worm- and Trojan-based attacks that will simply redirect browsers to the spoofed site."

In today's typical phishing attack, a user receives an e-mail message purporting to be from a trusted source, such as her bank, credit card company, or other financial service provider. The message, complete with official logos and phone numbers, usually sports a spoofed, or faked, return address that adds to the deception. The message includes a link which directs the user to a bogus Web site -- unfortunately, one that can look identical to the real thing -- where she's asked to enter account information and passwords to retain her account or online access.

Chasin's counting on phishers -- often gangs of clever, technically astute criminals -- to add worm- and Trojan-based tactics that attack the validity of the browser's address bar. In his scenario, phishers will plant malicious code on compromised machines, and that code will silently redirect users to scamming Web sites even when users enter the real URL into their browser's address bar.

"If you can't trust the From address of an e-mail, what makes you think that you can trust the address bar of your browser?" Chasin asked. "There's no authentication for the address in a browser."

In response, Chasin expects that browsers will begin to add anti-phishing tools and that there will be a move to institute an authentication protocol for Web sites and the URLs which appear in browsers' address bars.

"We might respond with a SPF-like protocol for the browser, or with an authentication protocol for Web sites," he said.

Some efforts to fight phishing from within the browser have already begun. Last week, U.K.-based Netcraft released a free toolbar for Internet Explorer that shows several attributes of a site, including its location and longevity, that can help users avoid phony Web sites.

Threats also might be made to the DNS infrastructure, Chasin warned, by hackers who infiltrate the domain name servers in order to conduct massive redirects from, say, real-world banks and credit card companies to their own illegal sites. Chasin dubbed the term "pharming" to differentiate it from the one-to-one "phishing" attacks.

"Where there's insecurity in the infrastructure, and when there's an economic motivation, criminal gangs with lots of time and opportunity and sophistication can pull off a digital heist like this. It's wouldn't be all that difficult."

Other trends predicted for 2005 -- other than a continuing plague of spam -- include workable solutions for the need to encrypt messages sent between enterprises, said David Ferris, and a move by companies into their second-generation of anti-spam solutions in order to improve on junk mail filtering for workers' mailboxes.