Date: 15 October 2004
References: ESB-2003.0277 AL-2004.024
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.032 -- AUSCERT ALERT
"Postcard" and "tvshop" Fraudulent E-mails and Malicious Web Sites
15 October 2004
===========================================================================
- --------------------------BEGIN INCLUDED TEXT--------------------
Overview:
AusCERT has become aware of several fraudulent e-mails, one with the subject
of "A Thinking Of You Card for you" and one referencing "www.tvshop.com.au"
circulating in Australia and overseas, which are used to entice the reader to
visit malicious web sites. These web sites contain executable Java code and
Internet Explorer exploits which, if successfully executed, will install a
trojan program which in turn captures keystrokes when the user visits
particular banking related web sites. They may also install programs which
allow malicious users to take control of an infected PC.
Vulnerability:
The malicious web sites that are linked in the emails attempt to exploit
multiple vulnerabilities.
The first attempted exploit uses the Microsoft Virtual Machine (VM) [1], for
which Microsoft released a patch on April 9, 2003 with security bulletin
MS03-011 [2].
The second attempted exploit uses the JS.Dragdrop vulnerability [3] to
install files on to the user's machine. This was corrected on October 12,
2004 in Microsoft's Cumulative Security Update for Internet Explorer,
MS04-038 [4].
The third attempted exploit uses an vulnerability in the Windows help system
(.chm files) to run arbitrary code. Microsoft Security Bulletin MS02-055 [5]
addresses this issue and has patching details.
Mitigation:
Installation of the patches mentioned in Microsoft security bulletin
MS03-011 [2], MS04-038 [4] and MS02-055 [5] will protect a computer against
all three of the above mentioned vulnerabilities. Additionally, all major
anti-virus updates prior to September 2003 have contained signatures for the
Microsoft Virtual Machine exploit [6].
All exploits also require user interaction - deleting these emails as they
arrive and not clicking on any links they contain is a safe mitigation
strategy.
Exploit Details:
"Postcard" email
----------------
The "Postcard" email circulating is similar to:
---- start postcard email ----
Subject: A Thinking Of You Card for you
A Digital Postcards(R) Greeting from John Korhonen waiting for you at POSTCARDS.COM!
If you have a modern e-mail program, you can go directly to your card by clicking:
http://Postcard.com/pickup/DP_416b029023245c15
*PLEASE* make sure your mail program has not cut the CardID # into 2 lines!! If it has,
you need to use the Old-Fashioned method below.
You can pick-up your postcard the old-fashioned way, by going to the following URL:
http://postcard.com/cards/pickup.html
and entering your postcard ID number: DP_416b029023245c15
If postcard is not picked up within two weeks, it may be removed.
Thank you!
This is a free service of Digital Postcard(R)
---- end postcard email ----
The subject line may also be 'You have new postcard!' or similar.
When any of the links in the email are clicked, they go to a different Internet
address to the ones listed, which include the following malicious websites:
202.67.159.110:5180
202.69.170.226:6180
katerjake.net
mercylane.com
jubileereligiousgifts.com
powerfoundation.org
"tvshop" email
--------------
The "tvshop" email circulating is similar to:
---- start tvshop email ----
Subject: <variable>
ON-LINE ORDER CONFIRMATION
Account Number: <variable>
password: ******
Order Number: <variable>
Order Total: $4,490.50
Thank you for ordering from stampcar.com, below is your order detail.
Your order is currently being reviewed and processed. We will send you an
e-mail confirming shipment and providing pertinent shipping information as
soon as your order ships.
The Following item(s) are included with this order:
****************
Item : PANASONIC - TH42PHD6UY 42-IN HDTV PLASMA
DISPLAY
Product Code : <variable>
Price : $4,135.00
Quantity : 1
Price : $4,135.00
Subtotal $4,135.00 Shipping $355.50
Grand Total $4,490.50
****************
You can track the status of your order anytime you like (24/7) online by
going to our website www.tvshop.com.au/order.htm and logging into your account.
It was a pleasure to serve you and we hope you visit us again soon. If you
have any questions, please contact us.
Sincerely,
Sales Department
At tvsop
---- end tvshop email ----
Clicking on the www.tvshop.com.au link actually takes you to one of a number
malicious websites which will run the Windows help system exploit.
References
[1] - http://www.microsoft.com/mscorp/java/
[2] - http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx
[3] - http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=7065
[4] - http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
[5] - http://www.microsoft.com/technet/security/bulletin/MS02-055.mspx
[6] - http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
- http://www3.ca.com/virusinfo/virus.aspx?ID=36725
- http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100261
- http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A
- http://www.sophos.com/virusinfo/analyses/trojbyteveria.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQW9tDyh9+71yA2DNAQLycQP/Ux8a1QBWfz+Y3PIMR1aT0HoUDx5n3qfC
yz8fVvheKYFWyQNenLO1tQcBMZmF5sxVqge4HMQRln3siOTfddzUlHnTzHXbDblA
QiCJaA8e8YRCT5aCCDHQSqhdK3Sk2Z/DmpqcG/uLO5bAqFz3GeJEdfKTLTwXMwkM
w3yBAC4xHQs=
=Ocnf
-----END PGP SIGNATURE-----
|