Monday, March 20, 2006

Websense Reports Organized Phishing Attack Targeting More than 100 Financial Institutions

Phishing attacks are becoming "smarter" and more organized. Here is a breaking alert from Websense:

Websense® Security Labs™ has received reports of a Trojan Horse which targets users of more than 100 financial institutions in the United States and Europe. Once installed on a user's machine, the malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (127.0.0.1).

If either of these applications is open, the behavior is different. In this case, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website.

The address returned from that DNS server is then populated into the hosts file along with a list of target brands. If the target machine visits one of the sites in the list, the machine is redirected to a fraudulent web site on the hosted machine in Russia. This allows the attacker to change the destination address through DNS if one of the servers is taken offline.

The web server uses the hostname received to serve up pages for that particular target. There are more than 100 different phishing brands hosted on this site, all with unique pages for the particular attack.

Full alert below with screen shots:

Crimeware, Trojan redirector targeting more than 100 banks

No comments: