Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28525
  • Total Topics: 8240
  • Online Today: 833
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Economic Crisis: A Phishing and Malcode Opportunity  (Read 1960 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Economic Crisis: A Phishing and Malcode Opportunity
« on: 13. October 2008., 08:29:48 »


In the past few weeks as a flurry of global financial institutions have suffered, a lot of names have been bandied about. Some banks have merged, some banks have faltered, and some government programs have been highlighted. It turns out that this is giving some enterprising phishers and malcode authors an opportunity. They’re preying on fears and name recognition.

The latest scam I just got was a Goldun spyware delivery scheme claiming to be a statement for your account. The emails look like this:

From: Federal Deposit Insurance Corporation
 To: ???@arbor.net
 Subject: funds wired into your account are stolen                                                       

 Dear bank account owner,                                                     

 Funds wired into your account are stolen from innocent account holders
 through Identity Theft. Please check your account statement (the statement
 is attached to this letter) and contact your bank account manager.           

 Federal Deposit Insurance Corporation


The attachment has the name “statement.exe” and is a UPX packed executable with the MD5 b6883affd9296b11145f6a0dce7056c3. It drops three files:
C:\DOCUME~1\User\LOCALS~1\Temp\f5d7_appcompat.txt
C:\DOCUME~1\User\LOCALS~1\Temp\f5d7_appcompat.txt
C:\DOCUME~1\User\LOCALS~1\Temp\f5d7_appcompat.txt

Goldun’s then try to download other malcode. This malcode has been around for a while, this is just the latest scheme to entice you to run the file.

In the past few days we’ve also seen combined phishing and malcode attacks against Wachovia, Merril Lynch, and other financial institutions. They usually use fast flux domains to host the attack. Some of the enticements are around banking changes, and these institutions have recently merged with other firms, so users may fall for the “we are upgrading our systems, please install this new SSL certificate” scheme. When you visit the site you get a phishing page and malcode dropped onto you box.

One of the Wachovia emails making the rounds right now looks like this:

WACHOVIA CORPORATION NOTICE.                                                                                                                                   

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent
failure of Wachovia. The Citigroup/Wachovia would focus on upgrading
banks' security certificates. All Wachovia customers must fill the forms
and complete installation of new Citigroup Standard digital signatures
during 48 hours. Please follow the installation steps below:                                                                                                   

Read more here>>                                                                                                                                               

Sincerely, Rodrick Baird.
 2008 Wachovia Corporation.
All rights reserved.


Here’s what this campaign’s website looks like:



We’ve been tracking these fast flux domains and will continue to do so, and we will continue to work with the anti-phishing community to identify and shut down such phishing attacks.

(Arbor Networks)


Samker's Computer Forum - SCforum.info

Economic Crisis: A Phishing and Malcode Opportunity
« on: 13. October 2008., 08:29:48 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising