Monday, December 05, 2005

Malicious Code Used to Redirect Banking Customers to Fraud Sites

Here is an interesting, but scary scam being reported by the good folks at Websense. Malicious code is being put on systems that appends to the "Window hosts file" and redirects users from their financial institution to a phishing site where their log information is stolen.

"Websense® Security Labs™ has observed an increase in phishing attacks that use modifications to the Windows hosts file to deceive users. Various exploits and social engineering tricks are used to execute malicious code that appends several entries to the Windows hosts file. These entries redirect traffic from the legitimate web addresses of several banks to the IP address of a phishing site created by the attacker. The next time the user attempts to visit one of the targeted banks, they are instead redirected to arrive at a phishing site. However, the web address shown in the browser's address bar appears to be the correct address. The logon information of the unsuspecting user is captured, as they attempt to access the site.

The example shown below targets four banks: HSBC Brazil, Banco Itau, Banco Banespa, and Bradesco. The phishing sites used in this attack are hosted in California and were online at the time of this alert."

For the full alert, along with screen shots, please read, Traffic Redirection on the Websense home page.

The alert isn't specific how the malicious code is being executed, but my guess would be via e-mail attachments. This is a new (pretty scary) twist, especially if the web address appears to be correct. Watching web addresses is a basic for those of us, who are on the look out for phishing scams. I plan to follow this carefully and will publish any additional information as it becomes available.

Until then, this is a testament to keeping your protection software up to date!

No comments: