FYI...Phish for FTP pwd's...
December 11, 2009 - "... attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers
. So far we have observed that users of over 100 Web hosting providers
are being targeted by this attack. The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page
to do this (cPanel* is a Web hosting administration tool)... The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag. Example:
http ://cpanel.[removed]. me.uk/scripts/cpanel-ftp-confirmation.php?session=[removed]&email=[removed]&service=[hosting domain name]Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pronography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker
* http://www.cpanel.net/ Visa targeted by ZBOT phish/SPAM
December 11, 2009 - "... targeting Visa with a fake email alert
that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download
as well. This is the second time in less than a month that malware distributors have targeted Visa... we saw a similar scam involving links to bunk Verified By Visa Web pages
... malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email
... As in earlier iterations of this scam, Zbot isn’t just interested in transaction details or Website logins. Zbot also steals the login credentials for virtually every Windows FTP client application — the tools that Web designers and other website administrators use to upload files to Web sites. FTP logins are far more valuable, because it gives the malware distributors another means to spread their code onto the Web
. If you’ve been wondering why so many otherwise legitimate Web sites seem to be getting hacked, and having malicious code uploaded to Web sites belonging to small businesses, private individuals, and others, this is why: Zbot is taking those passwords, and handing them off to people who trade not only in malicious code, but in abusing the good reputations of legitimate Website owners or the people who help manage them
Don’t be a victim: Don’t follow the link in the message. Don’t download the “statement” on the page. If you see a page that looks like the screen above*, immediately kill your browser and scan your computer for Zbot. The drive-by download component of this scam means you could be infected merely by visiting the page using a vulnerable browser. Most importantly, if you suspect a credit card fraud report email may be real, pick up the telephone and call the number on the back of your card
* Screenshot available at the Webroot URL above.
December 14, 2009