NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0061 COMPUTER SECURITY (Financial):
A recent attack that targeted online customers of at least 50 financial institutions in the US, Europe, and the Asia-Pacific region has been shut down. The attack was notable for the extra effort put into it by the hackers, who constructed a separate look-alike Web site for each financial institution they targeted. According to the security firm Websense, to be infected, a user had to be lured to a web site that hosted malicious code exploiting a critical vulnerability revealed last year in Microsoft's software. The vulnerability, for which Microsoft had issued a patch, is particularly dangerous since it requires a user merely to visit a web site rigged with the malicious code. Once lured to the web site, an unpatched computer would download a Trojan horse in a file called "iexplorer-dot-exe" which then downloads five additional files from a server in Russia. The web sites displayed only an error message and recommended that the user shut off their firewall and antivirus software. If a user with an infected PC then visited any of the targeted banking sites, they were redirected to a mock-up of the bank's web site that collected their login credentials and transferred them to the Russian server. The web sites hosting the malicious code, which were located in Germany, Estonia, and the UK, had been shut down by ISP's as of the following Thursday morning, along with their look-alike clone web sites. The attack also installed a "bot" on users' PCs, which gave the attacker remote control of the infected machine. Through reverse engineering and other special techniques, Websense researchers were able to capture screenshots of the bot controller. The controller also shows infection statistics. Websense said at least 1,000 machines were being infected PER DAY, mostly in the US and Australia.
(IDG News Service 22FEB)
Last Modified: Sunday, 04-Mar-2007 09:34:06 EST