copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » AusCERT N... » AL-2004.03 -- "Police investigation" Fraudulent E-ma...
 

AL-2004.03 -- "Police investigation" Fraudulent E-mail and Malicious Web Site
Date: 16 February 2004
References: AU-2004.0013  AU-2004.0014  AL-2004.032  AU-2004.0015  ESB-2004.0720  ESB-2004.0776  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2004.03 -- AUSCERT ALERT
      "Police investigation" Fraudulent E-mail and Malicious Web Site
                             16 February 2004

===========================================================================

Overview:

  AusCERT has become aware of an e-mail with the subject "Police
  investigation" circulating in Australia and overseas which is used to
  entice the reader to visit a malicious web site.  This web site contains
  executable Java code which, if successfully executed, will install a
  trojan program which in turn captures keystrokes when the user visits
  particular banking related web sites.

Vulnerability:

  This malicious web site attempts to exploit a vulnerability in the
  Microsoft Virtual Machine (VM) [1] , for which Microsoft have released a
  patch on April 9, 2003 with security bulletin MS03-011 [2].

Mitigation:

  Installation of the patch mentioned in Microsoft security bulletin
  MS03-011 [2] will protect a computer from ByteCode attacks, such as the
  one being used by this malicious web site.  Additionally, all major
  anti-virus updates prior to September 2003 have contained signatures for
  this malicious code [3].

Exploit Details:

  The e-mail currently circulating appears as:

    ---
    Subject: Police investigation

    Hello...

    It has come to my attention that you are being under the police investigation.
    Is that true? Have you really committed such crimes?

    Please read the following article located at:

    (*Note: malicious web sites removed by AusCERT*)
    ---

  The trojan program will capture the users' keystrokes and send them out
  via e-mail when the title bar of the web browser contains any of the
  following text:

    Westpac
    Bendigo
    commbank
    Commonwealth
    NetBank
    Citibank
    Bank of America
    EVOCash
    INTGold
    PayPal
    BankWest
    National Internet Banking
    CIBC
    ScotiaBank
    Bank of Montreal
    RoyalBank
    TD Canada Trust
    TD Waterhouse
    President's Choice
    suncorpmetway
    Macquarie
    GoldMoney
    HyperWallet
    Wells Fargo
    Bank One
    CAIXA
    SunTrust
    Discover Card
    Washington Mutual
    Wachovia
    Chase

  This is a partial list covering the majority of banking web sites
  involved, however it is possible that future iterations of this code
  may target other web sites.


References:

  [1] - http://www.microsoft.com/mscorp/java/
  [2] - http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
  [3] - http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
      - http://www3.ca.com/virusinfo/virus.aspx?ID=36725
      - http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100261
      - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A
      - http://www.sophos.com/virusinfo/analyses/trojbyteveria.html
  [4] - http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication. 
However, the decision to follow or act on information or advice contained in 
this security bulletin is the responsibility of each user or organisation, and 
should be considered in accordance with your organisation\'s site policies and 
procedures. AusCERT takes no responsibility for consequences which may arise 
from following or acting on information or advice contained in this security 
bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQDBawyh9+71yA2DNAQHDIQP/S3bxt1U4BpjSRP6wJXTWZaQo9ruX3OC5
/B/KAm/D0+7EQc7jkQsGyJvWPJJDgHauWwCiLMvA/aCzdVTm6sFrhIv2S5emUqtn
zi5wjW2X995tJdZryUhUr4QlxlzGMerKPa9fOEbtChMHfhJLNkbmZaghY+uAIxX1
wliW8Z3paxc=
=ruMG
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=2998&it=3858