General Discussion

[Phishing Alert: Adobe]

FYI...

Phishing Alert: Adobe
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=422
February 10, 2006
"Websense® Security Labs™ has received reports of a new phishing attack, using the brand name of Adobe Systems Incorporated. Users receive a spoofed email that provides a link to the phishing website, which is designed to mimic the Adobe online store. Users are given the option to buy and download Adobe products at substantially discounted rates. The site has links to awards hosted locally, which supposedly prove its veracity. When checking out, the user is prompted for credit card information.

This phishing site is hosted in China and was up at the time of this alert."

(Phishing screenshot available at the URL above.)

 

[Antiphishing.org Trend Report]

FYI...

Antiphishing.org Trend Report
- http://isc.sans.org/diary.php?storyid=1141
Last Updated: 2006-02-22 18:00:24 UTC
"In case you've missed it, the Anti-Phishing Working Group have published their latest (December 05) trend report a couple of days ago. Interesting as always. See:
- http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf "


 

[Increased deployment of Phishing Kits]

FYI...

Increased deployment of Phishing Kits
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=433
February 23, 2006
"Websense® Security Labs is seeing a significant increase in the number of Phishing kits used to host multiple target brands on a single host and deploy similar attack code on several machines. Currently the most popular is being referred to as the "Rock Phish Kit". The kit appears to have surfaced around November of 2005, but the frequency of its use is growing.
* Sites often use either an IP address or a fraudulent domain name.
* Sites usually have /rock/ or /r/ in the URL path, followed by an alpha character.
* Quite often the letter after the /r/ matches the target name (e.g., ...www.samplerockphish.com/r/b = barclays).
* Sites are usually hosted in Asia.
* Sites use the same PHP script to post the data.
* Sites often use JavaScript tricks to replace the browser toolbar and disable keyboard functions such as Cut and Paste.
...we have included screenshots from a recent site that was hosting 6 target brands.
/a/ -> Alliance & Leicester
/b/ -> Barclays
/c/ -> Citibank
/d/ -> Deutsche Bank
/e/ -> eBay
/h/ -> Halifax ..."

(Screenshots available at the URL above.)

   

[Phishing Alert: Career Builder]

FYI...

Phishing Alert: Career Builder
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=445
March 14, 2006
"Websense® Security Labs™ has received reports of a new phishing attack that targets members of CareerBuilder.com. Users receive a spoofed email message, which claims that their account information must be verified due to unauthorized access. The message provides a link to a phishing website. Users who visit this website are prompted to enter personal information. This phishing site is hosted in the Republic of Korea and was down at the time of this alert.

Phishing Email:

Dear < e-mail removed >,
We recently noticed one or more attempts to log in to your Careerbuilder account from a different IP address.
If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the log ins, please visit Careerbuilder as soon as possible to check-up your account information:
< URL REMOVED >
Thanks for your patience.
Sincerely, Careerbuilder
Please do not reply to this e-mail. Mail sent to this address cannot be answered..."

(Phishing screenshot available at the Websense URL above.)

 

[Malicious Website/Code: Trojan targeting more than 100 banks]

FYI...

Malicious Website/Code: Trojan targeting more than 100 banks
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=447
March 19, 2006
"Websense® Security Labs™ has received reports of a Trojan Horse which targets users of more than 100 financial institutions in the United States and Europe. Once installed on a user's machine, the malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (127.0.0.1).
If either of these applications is open, the behavior is different. In this case, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website. The address returned from that DNS server is then populated into the hosts file along with a list of target brands. If the target machine visits one of the sites in the list, the machine is redirected to a fraudulent web site on the hosted machine in Russia. This allows the attacker to change the destination address through DNS if one of the servers is taken offline.
The web server uses the hostname received to serve up pages for that particular target. There are more than 100 different phishing brands hosted on this site, all with unique pages for the particular attack.

(Screenshots available at the Websense URL above.)

 

[17,877]

Phishing attacks hit record highs...

Per the APWG January report*, there were 17,877 unique phishing reports, and 9,715 unique phishing websites.

* http://www.antiphishing.org/reports/apwg_report_jan_2006.pdf



     

[Hackers Tap Banks' Web Sites In Unique Phishing Attack]

FYI...

Hackers Tap Banks' Web Sites In Unique Phishing Attack
- http://www.techweb.com/article/printableArticle.jhtml?articleID=184401079&site_section=700028
March 29, 2006
"In an unusual form of phishing, hackers cracked the computers hosting the Web sites of three Florida banks, redirecting banking customers to a bogus homepage in order to steal account information and other personal data. ElectroNet Intermedia Consulting, the Tallahassee, Fla., service provider that hosts the sites of Capital City Bank, Wakulla Bank and Premier Bank, told the Tallahassee Democrat newspaper that the scam was spotted within an hour after it started March 21, and the sites were shutdown for a short period. The Florida Department of Law Enforcement was investigating the case, and no arrests had been made. Neither the FDLE nor ElectroNet were immediately available for comment. The incident marked a new tactic in phishing, a form of deception in which crooks use spam to lure people to bogus banking sites to enter passwords and other personal information, said John Quarterman, chief executive of Austin, Texas-based, InternetPerils Inc., which tracks Internet scams...
The hackers entered two servers running Microsoft Internet Information Services and planted the script needed to redirect people from the banks' legitimate sites to a bogus one. This new scam is like phishing without the intervening electronic mail step," Quarterman said. "Because it is the bank's own Web (hosted, in this and no doubt many other cases) server that is compromised, the customer has even less reason to suspect anything amiss"..."

 

[Malicious Code: New Trojan Banker Technique]

FYI...

Malicious Code: New Trojan Banker Technique
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=458
April 05, 2006
"Websense® Security Labs™ has received reports of a Trojan Horse that uses a new technique to steal financial account information. The Trojan monitors Microsoft® Internet Explorer and waits for the user to visit one of a dozen financial websites. Once the user begins the logon process, the Trojan creates a pop-up window to replace the actual logon page. These pop-up windows are customized for each website and designed to spoof the appearance of the legitimate logon page. Account information entered into these pop-up windows is captured and emailed to the attacker.
This Banker Trojan has currently not been assigned a name by any anti-virus vendors..."

(Screenshots are available at the URL above.)

 

[Phishers Snare Victims With VoIP]

FYI...

Phishers Snare Victims With VoIP
- http://www.techweb.com/article/printableArticle.jhtml?articleID=186701001&site_section=700028
April 25, 2006
"A security firm on Tuesday reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank's automated voice system in order to steal customers' passwords, account numbers and other personal information. In the attack that occurred last week, con artists sent spam disguised as coming from a small bank in a large East Coast city, Cloudmark Inc., a messaging security firm, said. The message asked the recipient to dial a telephone number to talk with a bank representative. The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller's finances. The number was obtained through a regular provider of voice over Internet protocol services. There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank. The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank's Web site through a link in the message. At the bogus site, the visitor is asked to input personal information. The latest scheme, however, is the first Cloudmark has seen using Internet telephony..."
- http://www.cloudmark.com/press/releases/?release=2006-04-25-2

 

[American Express: Beware Phony Log-In Screen]

FYI...

American Express: Beware Phony Log-In Screen
- http://www.eweek.com/article2/0,1759,1955288,00.asp?
April 28, 2006
"...In an alert posted online, the New York-based company included a screenshot of the pop-up, which tries to lure the user into entering name, social security number, mother's maiden name and date of birth. "Please note that this fraudulent activity may be the result of a computer virus and is not a part of the American Express website. If you received this pop-up box, your computer may have this virus," the company warned. Security researchers tracking malicious Internet activity say the fake pop-up is a classic example of a banking Trojan targeting specific financial institutions, even when the user is surfing on a secure, authenticated Web site..."

- http://www10.americanexpress.com/sif/cda/page/0,1641,24381,00.asp
"As an example of phishing, please note that some of our customers reported receiving the following pop-up screen while logged into our secure site. The pop-up screen is known to be a hoax..."

(Screenshot available at the AMEX URL above.)

 

[Phishers use url encoding to obfuscate hostnames]

FYI...

Phishers use url encoding to obfuscate hostnames
- http://isc.sans.org/diary.php?storyid=1342
Last Updated: 2006-05-18 20:39:00 UTC
"...Some browsers allow URL encoded host names. The impact is similar to the old (no longer working) method of using the "username:password@url" notation. So the impact is not "huge", but its yet another trick in the phishing arsenal.
Theoretically, a host name should only contain letters A-Z, numbers 0-9 and dashes (-). In order to support foreign character sets, "IDN" is used with uses that same set of characters to encode. For domain names, this is enforced by the registrars, but host names for existing domains are up to the user, and DNS servers typically allow "anything" (after all, DNS can be used for other things then host names).
We found that Internet Explorer, Safari and to some extend Opera will accept URL encoded host names and redirect to the "decoded" version. Further, they will allow spaces as part of host names. This is used by phishers to obfuscate URLs.
Explorer and Opera will accept the URL encoded host name, and redirect to it. But once you arrive at the page, the URL bar will show the URL in clear text.
Safari does accept URL encoded host names as well, but will NOT decode it as you arrive at the destination page.
Firefox refuses to use URL encoded host names.

Simple sample to test (not clickable, copy&paste):
http://www.paypal.com%20cgi-bin%20webscr%64%73%68%69%65%6c%64.%63%6f%6dor try a host name with space vs. without (less of an issue as you would have to control DNS for the domain to use it)
http://www .securewebbank.com (vs. http://www.securewebbank.com ) URL encoding is only supposed to be used after the host name to encode the file name and the GET parameters.

Suggested defenses:
Inform users about this problem.
Audit DNS caches to see if users asked to resolve such a host name.
Audit proxy logs for such domains, and filter if possible."

.