How the phishing attack

By Larry Seltzer  |  Posted 2004-10-01 Print this article Print

works"> The DLL, now infecting Windows Explorer, contacts a different system on the same provider network as and downloads from it an XML-based template file. This file describes the phishing spam message to be sent from the infected system and the e-mail addresses to which it should be sent. Analysis on the DLL is not complete.

The message itself is a phishing message appearing to come from Citibank and asking the user to go to a specified Web site to confirm personal data or else, so the message claims, access to the users account will be blocked. The body of the message itself is not text, but an image map, presumably to make it more difficult for counter-measures to work. Instead of scanning for text in the message, patterns in or checksums of the image will have to be employed, although these are often easily defeated with slight randomization of the body of the image.

If the user clicks on the link portion of the image, he or she is brought to a Web page residing on a system belonging to a Comcast user. The page brings up a browser window in the background with the actual Citibank home page to give the appearance of legitimacy and a popup in the foreground belonging to the attacker. The popup requests personal information.

Symantec says it has informed the authorities of all the details of the particular systems involved in this attack, and yet still appears to be running and hosting the infected files as of noon on Oct. 1. According to records of ARIN (American Registry for Internet Numbers) the address for the system is allocated to a D. Placek through Managed Solutions Group Inc. and is a private residence. The other specific addresses involved in the attack no longer appear to be up. Its unclear if the worm is sophisticated enough to recover and check elsewhere if the sites are down.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. Symantec believes that the attackers were not novices and had prepared this phishing system in advance, waiting for a suitable vulnerability to come along and be used as a hook for installing the phishing attack. The sophisticated multistage attack will likely reappear in improved form as the attackers learn from their experience with it.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel