Websense Security Labs(TM) is actively tracking more than 100 websites that are spreading the ANI “zero-day” exploit. Proof-of-concept (POC) attack code is also now available, and we expect additional attacks to surface.

Currently the majority of the attacks appear to be downloading and installing generic password stealing code. Also, as represented in the below graphs, most sites are hosted in China. Interestingly the most popular domain space being used is .com.

Due to the fact that POC code is now downloadable on the web, there is no patch from Microsoft, and the fact that some of the attackers we are tracking have infected hundreds of sites on the web, we believe that exploits will continue to surface and the numbers will get larger.

Reports out of China also indicate that a worm is now propagating using the exploit code: http://www.cisrt.org/enblog/read.php?68.

We are scanning the web and providing pre-emptive blocking for all security customers of Websense and recommend that customers block all uncategorized websites with the .exe filter extension due to the fact that most exploits simply download a .exe from the same site the exploit is being served from.

We are scanning the web and providing pre-emptive blocking for all security customers of Websense and recommend that customers block all uncategorized websites with the .exe filter extension due to the fact that most exploits simply download a .exe from the same site the exploit is being served from.

According to NCACU, Credit union members are receiving VoIP scam calls that are automated and insistent that the cardholder call a toll free number to update important financial information. Once the toll free number is dialed an automated phone system asks for the card number, PIN and expiration date. VoIP lines are telephone systems that utilize the internet instead of traditional telephone land lines to deliver communication services. The low cost of VoIP lines and relative ease with which they are obtained have led Phishers to quickly adopt this evolving technology to attack consumers on an entirely new level.

Websense® Security Labs™ is currently monitoring an unpatched (0-day) vulnerability in Microsoft Windows. No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious website. This vulnerability exists in the way animated cursors are processed, and is very similar to MS05-002, which was patched by Microsoft in early 2005.

At this time, we are aware of 9 different sites hosting the new exploit. We will continue to monitor for any additional sites, as we expect the exploit’s usage to increase.

One of the sites involved is the same one which targeted Dolphin Stadium during the Super Bowl. It is likely that the same group is behind the current attack.

Additional details on the vulnerability are available from Microsoft Security Advisory #935423:

http://www.microsoft.com/technet/security/advisory/935423.mspx

March 28, 2007, Alexandria, Va., — The 29th National Regulators Meeting held March 25-27 in Salt Lake City, Utah, brought together the National Credit Union Administration (NCUA) and the National Association of State Credit Union Supervisors (NASCUS) to hear from numerous experts and discuss topics affecting state and federal regulators and the credit union system.

March 28, 2007, Alexandria, Va., — The 29th National Regulators Meeting held March 25-27 in Salt Lake City, Utah, brought together the National Credit Union Administration (NCUA) and the National Association of State Credit Union Supervisors (NASCUS) to hear from numerous experts and discuss topics affecting state and federal regulators and the credit union system.

Understanding Patches

Websense® Security Labs™ has received reports of a phishing attack that targets Alhambra Credit Union customers. Users receive a spoofed email message, which claims that if they take a survey to give feedback on the quality of services, they will get a $45 credit to their account. The email provides a link to a phishing site that attempts to collect personal and account information.

Phishing screenshot #2:/

Websense® Security Labs™ has received reports of a phishing attack that targets Bank of Hanover customers. Users receive a spoofed email message, which claims that if they take a survey to give feedback on the quality of services, they will get a $99.99 credit to their account. The email provides a link to a phishing site that attempts to collect personal and account information.

Copyright © 2007 Bank Of Hanover

Websense® Security Labs™ has received reports of a phishing attack that targets Weber Credit Union customers. Users receive a spoofed email message, which claims that if they take a survey to give feedback on the quality of services, they will get a $45 credit to their account. The email provides a link to a phishing site that attempts to collect personal and account information.

With the information collected we can decide to direct a number of changes to improve and expand our services. The information you provide us is all non-sensitive and anonymous - No part of it is handed down to any third party.

It will be stored in our secure database for maximum 7 days while we process the results of this urgent survey. We kindly ask you to spare two minutes of your time and take part in our online survey.

To continue please click the link below:
<URL REMOVED>

©2007 Weber Credit Union

Phishing screenshot #1:

National Credit Union Administration (NCUA) Vice Chairman Rodney Hood served as a featured speaker at the U.S. Department of the Treasury’s Northwest Regional Conference on Reaching Unbanked People.