Posted on 11/05/2004 10:45:06 AM PST by crushelits
You know all about phishing scams, right? You know better than to click on a Web link embedded in an e-mail that purports to be from your bank, or to reply to messages requesting your user name and password. But if you think that's enough to protect yourself, think again.
A phishing scam currently spreading online works without your ever having to click on a link; all that's required to activate the scam is for you to open an e-mail. And, many security experts warn, this threat may be a sign of things to come.
"This style of attack is new and old at the same time. It's a common approach that virus writers take, but it's new with regard to phishing attacks," says Jim McGrath, senior director of security management products for NetIQ. "Phishers are trying to use the techniques that have been very successful for virus writers. It's a new and dangerous trend."
The current phishing scam, which has been labeled JS/QHosts21-A by antivirus vendor Sophos, is an example of this kind of blended threat. In this case, the scam involves a Trojan horse that combines with an ActiveX vulnerability in Windows to install itself on your machine invisibly, without warning.
According to Sophos, JS/QHosts21-A arrives in an HTML e-mail that displays the Google Web page. If you have enabled scripting on your PC (Internet Explorer and Microsoft's Outlook and Outlook Express e-mail clients enable scripting by default) and you have ActiveX security settings configured too low (or if you are running an out-of-date and/or unpatched version of Windows), the Trojan horse installs itself on your PC.
The Trojan horse then makes changes to the Hosts file, a component of Windows that your browser first looks to when it converts a domain name that you enter (such as "www.pcworld.com") into the IP address it needs to load a Web page.
By entering an IP address of the fraudster's choosing into your PC's Hosts file, and associating it with the names of bank Web sites, the phisher can force your browser--any browser, not just Internet Explorer--to go to a fake Web site that may look like your bank's, but isn't.
Then all they have to do is get you to log in, and the phisher has your username and password.
"These next-generation phishing scams don't use traditional methods, they don't try to lure you with an e-mail," says Graham Cluley, a senior technology consultant with Sophos antivirus. "Instead, they infect you with a Trojan, wait for you to visit a banking site, and then a keylogger grabs your password."
Under normal circumstances, most people do not have any IP addresses listed in their Hosts file, but the file exists just in case you might need to use it. And because most PC users are unfamiliar with the workings of the Hosts file, unless you're running special software that monitors the Hosts file for changes, you may never know it has been changed until it's too late.
JS/QHosts21-A has been seen in very low numbers in the wild, and currently is targeting banks only in Brazil, says Sophos's Cluley. He also notes that any up-to-date antivirus software should be able to catch the file. So why is it worth your attention? Because many security experts expect it--and other, more advanced threats--to wash up on U.S. shores soon.
"For the last few months, we've seen a growth in similar behavior," he says. "Unlike the rather crude rewriting of the Hosts file, which redirects you to a bogus site [which is what JS/QHosts21-A does], Brazilian hackers have been creating an army of Trojans designed to wait until you visit the real, bona fide banking Web site."
Once you visit a banking site, these Trojan horses spring into action. They launch a keylogger that captures your user name and password, and they also collect screen shots of the activity on your PC.
"In other words, no bogus Web site needs to be created at all (less hassle for the hackers, and less chance of there being clues in the creation of the bogus Web site), and they rely on users doing exactly what we tell them to do--visit the real, legitimate Web site," Cluley says.
So far, these threats have focused on three Brazilian banks--Bradesco, Caixa, and Unibanco--and their customers in Brazil, Australia, and the United Kingdom, Cluley says, but he expects them to target U.S. users soon. "It may only be a matter of weeks away from targeting U.S. customers," he says.
Alex Shipp, senior antivirus technologist with MessageLabs, the company that discovered the JS/QHosts21-A threat (though Sophos is the only company referring to it by that name), agrees that the threat is likely to spread. "Right now, phishers are trying this technique out to see how well it works," he says. "If it works in Brazil, we'd expect to see it move all around the world within a month."
The good news for users is that these threats--like all phishing scams--are preventable. Experts recommend running antivirus software and updating it frequently, as well as installing a personal firewall.
To prevent the Trojan horse from attacking, PC users should keep their versions of Windows and Internet Explorer up-to-date with Microsoft's security patches, and consider using an alternative browser. However, it's important to note that once your computer has been compromised, the modified Hosts file will affect any browser you use on the infected PC, not just Internet Explorer.
If you've already been infected with JS/QHosts21-A, you may need to manually change your Hosts file back to its original format, says Dave Jevans, chair of the Anti-Phishing Working Group. If you're running Windows XP (news - web sites), you can modify the file (which is located at C:\WINDOWS\system32\drivers\etc\hosts) by opening it with a text editor, such as Notepad, WordPad, or Microsoft Word. For the JS/QHosts21-A exploit, the following entries will be visible in the file, Jevans says:
200.155.4.45 www.unibanco.com.br 200.201.166.200 www.caixa.com.br 200.155.100.225 www.bradesco.com.br
If you see those entries, delete them, save the file, and reboot your system, he says.
In addition to highlighting new methods that phishers are using, these threats are exposing the poor security in place at the Web sites of many banks and financial institutions, experts agree.
"If your bank is using a static user name and password, that's like leaving the key to your house under your doormat," says Jochem Binst, director of communications for Vasco data security. "Using static passwords online is just not secure enough anymore."
A system reportedly in use by many banks across Europe, two-factor authentication, seems to successfully thwart phishing, keystroke logging, and other attacks that steal passwords.
In addition to a user name and password you create, "you just get a list of passwords from the bank, which you can use once," says reader Jeroen Hoekstram, who lives in Germany and uses the system with his own online bank accounts.
When you need to log in to your bank account, you simply use one of the passwords provided by the bank, in addition to your own user name and password. After the first time a bank-provided password gets used, it cannot be used again, so even if your information is successfully phished, it is of no use to the scam artist who gets it.
"The system seems cheap and reliable, and indeed avoids the worries of malicious software," Hoekstram says. "Interestingly," he adds, "I use Citibank in Germany, and they use this system. I am curious why they would not use it in the U.S."
"Consumers should lobby their banks for better security. It's astonishing how many banks are still asking you to use the same password every time you log in," says Cluley. "They do it because its cheaper and easier for them. For proper security, you'd have a password that changes every time you log in."
Some companies in the United States are adopting two-factor authentication, but no banks have signed on as yet. America Online, notably, allows users to log in via RSA Data Security's SecureID Key Fob, which displays a six-digit code that changes every minute. Microsoft added broad operating system support for SecureID into Windows computers in an update several months ago.
"The current way most online banks are handling security is just wrong," Cluley says.
"Banks themselves need to look at how they do online banking. They're not doing much today to protect the end consumers. I would love to see financial institutions using two-factor authentication mechanisms," McGrath says. "I'm not aware of any of the big banks who are doing this, and some are not even taking the basic steps for security, like timing out accounts," he adds.
I like my Macs.
Thanks!
Uh-huh.
Mac over here, too.
They still try, but I recognize one when I see it and report it.
Hate it clogging up my e-mail box, though.....
And change the file attribute to read only.
I hadn't connected to my ISP for about a week to download mail, and when I did, I had about a dozen phishing messages purporting to be their accounts department, but the text looked like it was written by a Nigerian civil servant.
Be a good idea to make your hosts file read-only
( after you've added all the urls to keep out Drudges ads..)
I never even read an email from anyone other than ones I know.I click delete. I keep up my patches and so far so good..I don't bank online.
You remind me of a guy who once said, "I'm not worried about venereal disease because I've had a vasectomy."
I don't see any similarity at all.
Well, let's try again. Two Army sargeants went to a whore house. After being serviced, the prostitute says to them, "Guys, I've got something to tell you. I've got syphilis."
Neither one of the Sargeants knew what syphilis was, but it didn't sound good, so they decided to get a dictionary and look it up. The definition read "Syphilis. A disease of the privates."
"We got nothing to worry about," said one to the other. "We're Sergeants!"
If you have a point to make, then let's have it.
You know, it's always been said that Mac users are the type who need everything done for them, and they flaunt the distinction proudly. I'm not sure if the same thing applies to irony. Maybe.
I was merely trying to point out, in an amusing way, that there is no intrinsic quality about a Macintosh that protects its users from security breaches.
--- I was just making sure that you indeed were trying to insult me by implying that I am too stupid to use a "real" computer.
there is no intrinsic quality about a Macintosh that protects its users from security breaches.
On the contrary, there are quite a few qualities that protect me. The chief one being that Microsoft has no part in the OS.
I'm not even using a computer to surf, I have a direct connection into my spiral cortex with an embedded bio-Firewall (still experimental).
I know. And I thank you for the donation from your bank account - I didn't take ALL of it, though.
And I know what you're giving for Christmas !
;->
Just out of curiosity, how does the Mac O/S associate a host name, or FQDN, with an IP address?
"there is no intrinsic quality about a Macintosh that protects its users from security breaches."
Actually that is not true. It is based on BSD unix which has been open and tested to the internet for many years. Security is structured into the operating system. In fact, the root login of OS-X is completely disabled by default. And compartmentalization is a basic concept of Unix.
The fact is that if virus writers concentrated on Macintosh they would be more successful, but never on the scale they are with Windows.
True, but they'd have the advantage of dealing with an army of users who are convinced that they've nothing to worry about.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.