|
|
AL-2004.10 -- AUSCERT ALERT -- Bogus Banking Email Allows Trojan Infection for Outlook Users |
|
Date: 04 April 2004 Original URL: http://www.auscert.org.au/render.html?cid=2998&it=3981 References: AU-2004.007 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2004.10 -- AUSCERT ALERT
Bogus Banking Email Allows Trojan Infection for Outlook Users
4 April 2004
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Outlook Express 6
Microsoft Outlook Express 5.5
Microsoft Outlook Express 5
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Access Required: Remote
PROBLEM:
A vulnerability in Microsoft Internet Explorer and Outlook Express
is being used to trick online banking customers into visiting a
malicious web site. The vulnerability[2] allows a URL to be
spoofed by manipulating the information displayed in the status
bar using an embedded form. Ordinarily, this behaviour is not
possible to achieve without scripting, overriding the protection
of and making execution possible in the context of the "Restricted"
zone where scripting is disabled by default. A bogus email message
exploiting this vulnerability is currently being heavily spammed
to Australian users.
There are at least four known variants of the same email message
- each appearing to come from a major Australian bank, with a
"From:" field likely to be a valid email address for the respective
institution to augment the deception. The body text of the message
appears to the user like this:
Dear user!
We are informing you that today, the amount of $XXX AUD
has been drawn out of your account.
Technical assistance of YYY Bank.
http://www.ZZZ.com.au
Moving the mouse over the URL will not reveal the true destination
in the status area of the email or browser window; it will appear
the same as in the text. Clicking the link, however, will initiate
a connection to a malicious site, the impact of which could include
the downloading of a binary program and execution of malicious
commands on the user's computer. At this time AusCERT is not aware
of any available patch from Microsoft for this vulnerability. The
impact on users of this vulnerability is similar to that reported
in AA-2003.04[3].
PLATFORM:
Affects Windows platforms running Internet Explorer and Outlook
Express.
IMPACT:
Execute commands on the local computer and/or capture private
information, including the logging of keystroke commands.
MITIGATION:
AusCERT recommends users not to follow the URL in any email they
receive that has the format shown in this alert, nor should they
respond to or follow any instructions in the message. It is
advisable to remain aware of the potential for undesirable
consequences that could arise from following URLs in unsolicited
messages. In general, banking customers should always contact their
financial institution if they are unsure of the authenticity of
an unsolicited message that purports to be from their bank. More
information about online banking safety is available in
AL-2003.04[4], and users are strongly advised to reread this
document.
Users should, as ever, remain aware of the danger of opening
unsolicited email attachments and review the advice in the article
"Protecting your computer from malicious code"[3].
REFERENCES:
[1] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352
[2] Secunia Security Advisory
http://secunia.com/advisories/11273
[3] AusCERT Advisory AA-2003.04
http://www.auscert.org.au/render.html?it=3680
[4] Advisory Alert AL-2003.04
http://www.auscert.org.au/render.html?it=2909
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained
in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your
organisation\'s site policies and procedures. AusCERT takes no
responsibility for consequences which may arise from following or acting
on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked
in any way, we encourage you to let us know by completing the secure
National IT Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQHACgyh9+71yA2DNAQH6SgP/ZCuWiLmkCuglO2ngYJ9uIFRNVDFk0voD
J3KKdoLIESv+tHVdNVYslSwu7WPVMW3AlP1fju2dd0+VA0Cb9/VVUjWwtR309X0C
kdU0DyWCAWVv5R4nYi7YfGUmFF0BPKndyDo77mchfgjChAk/VlP5GYcA8iYmPECu
hlqaTbpNjdg=
=OyrJ
-----END PGP SIGNATURE-----
|