Internet fraudsters have never shied away from dirty tricks, but the latest scam to hit New Zealand and Aussie email inboxes plumbs new depths.
Masquerading as a message from Westpac Bank in Australia, the email solicits donations for the country�s Paralympics team for the Athens games in August.
These types of scams are known as �phishes�. The current one, however, is more elaborate than previous ones, which have simply employed deceptive URLs to lure email recipients to bogus websites.
Westpac is actually the official sponsor for the Paralympians and there is a legitimate request for donations, which can be seen on the bank's website.
But when Computerworld analysed the bogus message and traced it to a site hosted in the US, it was noticed that a seemingly empty web page was loaded as well. The page contains encrypted Javascript that takes advantage of an exploit for unpatched versions of Windows, and which attempts to download two files from the website.
The last of the two files is a variant of the �Bizez� trojan horse, according to Nick FitzGerald, an antivirus researcher and consultant in Christchurch. FitzGerald says Bizex contains what�s know as a �keylogger�, a small application that surreptitiously keeps track what users type. In this case, Bizex would log users� credit card numbers as they type them in to make the donations.
This means the scammers don�t need to set up bogus websites to obtain people�s credit card numbers �- rather they could simply direct victims to the correct payments processor and the donation would be made. The card numbers could then be used by the scammers.
Craig Hobbs, the executive director of New Zealand�s Paralympics team, expressed disgust and concern at the scam.
�It�s hard enough as it is to get people to donate without these things coming along and creating suspicion.�
Having limited resources to organise physical fund-raising, Hobbs said that using the internet and postal campaigns was attractive for the New Zealand Paralympians, as it can reach many people cheaply.
Hobbs immediately alerted his Australian counterparts when told by Computerworld of the scam. As of writing, however, the US website is still up. Apart from the Westpac scam, the site contains advertisements for credit card �skimmers� (hand-held magnetic strip readers) and dubious-sounding online money transfer systems.
Computerworld alerted both the site hosting service and Westpac Australia to the scam, but received no reply before deadline.
Pop-ups spread spying program
If you bank on the Web, beware. Sophisticated hackers have been able to watch your keyboard from afar. Various Internet security Web sites reported in late June that a complicated spyware program, currently unnamed, was attacking computers by downloading itself through pop-up ads via a hole in Internet Explorer and via infected e-mails.
Once on the infected computer, the program was designed to watch for entry onto certain banking Web sites. Then the program captured the user's keystrokes used to enter passwords and user names for the bank account and reported the keystrokes back to a scammer's Web site.
The Internet Storm Center, an early warning system set up by the SANS institute, first received a report on June 24th from a man who said the program had been downloaded to one of his company's computers.
SANS said it appears that the initial infection took place as a result of a pop-up advertisement. That particular infection was programmed to look for many banking Web sites, including Citibank.com, Deutsche-bank.de and Barclays.co.uk.
The bug targets Microsoft's Internet Explorer browsers. Microsoft reports the offending site has been shut down. That's great. But consumers must be vigilant to protect their PCs from scammer hijackings such as this one. What can you do? Microsoft says you can protect your computer by setting your browser security to "high," opening e-mail in plain-text only, adding Web sites you consider safe to "Trusted Sites" and downloading a pop-up blocker.
Other net experts suggest switching to a different browser such as Opera or Mozilla. But these browsers can also fall prey to attacks, so users should be vigilant about upgrading security patches.
At the very least, Internet Explorer users should do the following to protect their systems:
To set your security setting to high:
To add a Web site to "Trusted Sites":
To read your e-mail in plain text in Outlook: In the newest versions of Outlook, the option for plain-text can be found on the Preferences tab under Options. If you are unable to find "E-mail Options" on your Preferences tab, click on the Help tab on your menu and search for the words "plain text." It should guide you to instructions. To download a pop-up blocker:
In a sign of the growing diversity of phishing scams, a new e-mail combines social engineering tricks and HTML coding to defraud victims using a keylogging program that attempts to capture banking usernames and passwords.
The latest scam, documented at Codefish Spamwatch, operates via an email with the subject "Police investigation."
Hello...
It has come to my attention that you are being under the police investigation. Is that true? Have you really commited such crimes?
Please read the following article located at:
http://federalpolice.com:article872@1075686747
or at:
http://0100.035.0255.0133
Sincerely,
Your old friend
The URLs are obscured, and actually point to http://64.29.173.91, an IP address at the Atlanta ISP Abraxis.net. Concerned e-mail recipients who follow the link encounter the message "SERVER ERROR 550" - which is actually not a server error at all, but an HTML document containing unseen background code that attempts to download a Trojan written in Java.
If successful, the trojan installs a keylogger program, which monitors the victim's system for a browser window bearing the title of any of a lengthy list of financial institution names, including:
When a window is opened that matches one of these titles, the trojan starts recording key strokes, stores them to a text file, and uses a built-in email system to send the contents to [email protected]. Port scans of the server being used suggest a compromised Windows box remotely controlled using the Netbus trojan, which appears to connect to an FTP server referring to "Megacrew."
This campaign's combination of social engineering, URL spoofing, a fake web page and auto-downloading trojan illustrates the growing sophistication of phishing attacks. Much like viruses and worms, phishers are now constructing "blended threats" that layer one deception upon another in an effort to trick Internet users into revealing bank account information.