Archive for February, 2007
The National Credit Union Administration (NCUA) Board has scheduled a special closed Board meeting for February 23, 2007, at 10 a.m.
Peer average ratios for December 2006 are now available
Federally insured credit unions reported solid asset growth as lending continued to expand and the yield on loan income grew 15.45 percent according to year-end 2006 call report data submitted by the nation’s 8,362 federally insured credit unions.
Feb
21
Websense® Security Labs™ has received reports of a phishing attack that targets users of Party Poker. Users receive a spoofed email message which claims that a new online gambling law will be passed, and that they must log in to their account to view the impact on Party Poker users. The email provides a link to a phishing site that attempts to collect personal and account information.
This phishing site is hosted in the United States and was up at the time of this alert.
Phishing email text:
Party Poker news!!!
Dear poker player,
Information for US and all over the World based customers on the passing of the ‘Unlawful Internet Gambling Enforcement Act of 2006. On September 30, 2006, the United States Congress passed The Safe Port Act.
That measure also contained certain provisions known as the ‘Unlawful Internet Gambling Enforcement Act of 2006’. On October 2, 2006, Party Gaming made an announcement regarding the impact the act would have on business when, as expected, it is signed into law.
Please update your username:
<URL REMOVED>
Information About deposit:
Does not accept US accounts!Deposit options: VISA, MasterCard, NETeller, FirePay, Western Union, eChecks (by iGM-Pay)bank draft, cashier’s check, money order, check.
Cash out options: NETeller, wire transfer, check, eChecks (by iGM-Pay). Party Poker+1 (866) 604-7794 (Toll free for US and Canada only)+350 41120 (International rates apply) <URL REMOVED>
Phishing site screenshot:
Websense Security Labs(TM) has received reports of new malicious websites designed to install Trojan Horse bots that allow attackers to compromise end-user banking credentials for more than 50 financial institutions and ecommerce websites.
The websites are hosted in Germany, England, and Estonia, and appear to be using round robin DNS, resolving to five unique IP address that revolve on each lookup. Each site hosts the same exploit code. This code attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.
When end-users visit the site, they are directed to one of the five servers. If the end-user machine is vulnerable, a file called “iexplorer.exe” is downloaded and run. The site displays a simple page that says the sever is temporarily busy and suggests that the user shut down any firewall and antivirus software. The “iexplorer.exe” file downloads and installs five additional files from a server in Russia. The filenames are:
IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll
The server in Russia also acts as a bot controller, allowing the attacker to control the machines remotely. Additional files can be uploaded or downloaded and new phishing attacks can be appended. In addition, several attack success statistics are recorded. The bot controller also has a database query interface that gives the attacker a simple-to-use search/query interface for additional information.
Once the DLLs are installed and loaded and the end-user connects to one of more than 50 financial institutions or ecommerce websites, the code transparently replaces some HTML within the page and posts the end-user’s logon credentials to the server in Russia. At the time of this alert, the statistics showed more than 1000 successful infections per day, with the USA and Australia leading the list.
This does not appear to be related to the Australian Prime Minister malicious code links reported here:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=741
Click on images for larger views.
Website Message:
Bot Controller Screenshots:
Good Security Habits
Feb
20
Websense® Security Labs™ has received reports of a phishing attack that targets users of MoneyBookers. Users receive a spoofed email message, which claims that they must log in to their account in order to collect a payment for an item sold. The email provides a link to a phishing site that attempts to collect personal and account information.
This phishing site is hosted in the United States and was up at the time of this alert.
Phishing email text:
Dear,
Greetings from moneybookers.com! We would like to inform you that you have received a payment from < E-MAIL REMOVED >
Payment details
Amount: EUR 20.00
ID: xxxxxxx
Subject: Gift Bet365
Note: Bonus
Your money is waiting for you in your moneybookers account. Login to account
We hope you enjoy your cash.
Moneybookers Security Reminders
Protect Your Password
Moneybookers and its representatives will NEVER ask you to reveal your password. There are NO EXCEPTIONS to this policy. If anyone asks for your password by phone or by email, or on any website other than moneybookers.com, refuse and immediately report this to service @moneybookers.com
Access your account ONLY using the login link on the Moneybookers homepage
Please be advised that Moneybookers and its representatives will NEVER send you an email asking you to provide your login details within a form provided or to click on a hyperlink to access your account! Immediately report any incident to service @ moneybookers.com
Case Sensitive Login
Please remember your password is case-sensitive, at least 6 characters long and contains at least one number or non-alphabetic character such as ‘-’.
Phishing Screenshot:
The National Credit Union Administration (NCUA) today assumed control of the operations of Huron River Area Credit Union, a state-chartered, federally insured credit union serving individuals working primarily in the Ann Arbor, Michigan, area.
The National Credit Union Administration (NCUA) today assumed control of the operations of Huron River Area Credit Union, a state-chartered, federally insured credit union serving individuals working primarily in the Ann Arbor, Michigan, area.
Websense Securitylabs ™ has received reports of a Trojan which is related to an email that has been distributed, claiming that the Australian Prime Minister had suffered a heart attack.
The Trojan is formed by several different components. It basically monitors all your accesses to web pages and keeps track of them, keylogging everything you do. It contains a special module which it uses for phishing. At the time of this alert there were more than 2500 infected victims.The affected banks are:
Westpac (Australia)
Kasikorn Bank (Thailand)
Banco de Valencia (Spain)
Commonwealth Bank (Australia)
BBVA (Spain)
Caja Madrid (Spain)
Bank of America (USA)
Unicaja (Spain)
Wells Fargo (USA)
Sparkasse (Germany)
Deutsche Bank (Germany)
Gad (Germany)
Commerz Bank (Germany)
Post Bank (Germany)
On the other hand, it installs a web server on the affected machine which allows the attacker to access that machine every time it is online. To achieve that, he/she has a control panel where he/she can have a full list of all the infected machines including IP address, country, ports he/she can use to access the machine to using different protocols, and even a link to google maps which will exactly point out where that IP is located.
We thank the AusCERT for providing the sample.
Google Maps Infection Locator:
Attackers Statistics Page:
