How the phishing attack
works"> The DLL, now infecting Windows Explorer, contacts a different system on the same provider network as maybeyes.biz and downloads from it an XML-based template file. This file describes the phishing spam message to be sent from the infected system and the e-mail addresses to which it should be sent. Analysis on the DLL is not complete. The message itself is a phishing message appearing to come from Citibank and asking the user to go to a specified Web site to confirm personal data or else, so the message claims, access to the users account will be blocked. The body of the message itself is not text, but an image map, presumably to make it more difficult for counter-measures to work. Instead of scanning for text in the message, patterns in or checksums of the image will have to be employed, although these are often easily defeated with slight randomization of the body of the image.Symantec says it has informed the authorities of all the details of the particular systems involved in this attack, and yet maybeyes.biz still appears to be running and hosting the infected files as of noon on Oct. 1. According to records of ARIN (American Registry for Internet Numbers) the address for the system is allocated to a D. Placek through Managed Solutions Group Inc. and is a private residence. The other specific addresses involved in the attack no longer appear to be up. Its unclear if the worm is sophisticated enough to recover and check elsewhere if the sites are down. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Symantec believes that the attackers were not novices and had prepared this phishing system in advance, waiting for a suitable vulnerability to come along and be used as a hook for installing the phishing attack. The sophisticated multistage attack will likely reappear in improved form as the attackers learn from their experience with it. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.
If the user clicks on the link portion of the image, he or she is brought to a Web page residing on a system belonging to a Comcast user. The page brings up a browser window in the background with the actual Citibank home page to give the appearance of legitimacy and a popup in the foreground belonging to the attacker. The popup requests personal information.