Archive for March, 2007
Websense® Security Labs™ has received reports of a phishing attack that targets customers of First Education Federal Credit Union. Users receive a spoofed email message which claims that if they take a 5 question survey, they will get a $100 credit to their account. The email provides a link to a phishing site that attempts to collect personal and account information.
This phishing site is hosted in Thailand and was up at the time of this alert.
Phishing email text:
Dear First Education Federal Credit Union Customer,
The First Education Federal Credit Union Online department kindly asks you to take part in our quick and easy 5 questions survey.
In return we will credit $100.00 to your account - Just for your time!
With the information collected we can decide to direct a number of changes to improve and expand our services. The information you provide us is all non-sensitive and anonymous - No part of it is handed down to any third party.
It will be stored in our secure database for maximum 7 days while we process the results of this urgent survey.
We kindly ask you to spare two minutes of your time and take part in our online survey.
To continue please click the link below
<URL REMOVED>
©2007 First Education Federal Credit Union
Phishing screenshot #1:
Proposed Regulation 12 CFR Part 716 - Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act
The Multiple Common Bond Expansion Report identifies the number of select group expansions approved, deferred and denied for federal credit unions. The report is presented in a year-to-date format and is updated monthly.
The Multiple Common Bond Expansion Report identifies the number of select group expansions approved, deferred and denied for federal credit unions. The report is presented in a year-to-date format and is updated monthly.
Media Release - NCUA-FinCEN BSA Webinar Available Online
Results of NCUA’s 3/15/2007 Board Meeting
Chairman Johnson’s Statement on Merger Regulation Requirements
Mar
15
Websense® Security Labs™ has received reports of a phishing attack that targets users of Virgin Media. Users receive a spoofed email message, which claims that their account must be updated because of a new database server, or else an account lockout will occur. The email provides a link to a phishing site that attempts to collect personal and account information.
This phishing site is hosted in the United States and was up at the time of this alert.
Phishing email text:
Dear Member:
We apologize if u had any trouble accessing our services. In the last month we have worked day and night, for the improvement of our services. We want to do our best, and make it as simple as possible for us, but especially for you, our valued customer. From the beginning of this year we have had a big number of solicitations and because of this it was necessary to replace the old database server with a new one, which has the information about our new clients, and where some of our clients are going to get moved. Please verify your information until March 20, 2007 and help us avoid the lock-out of your services. We require all old accounts to verify their information on file with us. To verify your account details now, please visit our secure server webform by clicking the hyperlink below:
<URL REMOVED>
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
We appreciate your business and hope to keep you as a customer for life.
Virgin Media Online is so easy; no wonder it’s number one !
We apologize for any inconvenience.
Thank You for using Virgin Media.
Sincerely,
Virgin Media Billing Services
——————————————————————————–
How can I restore my account access?
Please update your billing here: Virgin Media Billing Services and complete the web form.
Completing all of the checklist items will automatically restore your account access.
©2007 Virgin Media Inc. All Rights Reserved
Phishing screenshot #1:
Phishing screenshot #2:
.JPG)
Phishing screenshot #3:
.JPG)
Websense® Security Labs(TM) has received reports of new malicious Web sites, designed to install Trojan horse and Password Stealing malicious code. The Web sites are hosted in China and attempt to exploit several Microsoft® vulnerabilities to download and install a Trojan downloader without end-user interaction.
Among the sites are a popular Chinese book store hosted on Myrice. All sites appear to have been compromised.
There are three IFRAMEs that are loaded:
http://www.<removed>.com/aafs.asp
http://www.<removed>.com/a/Ms.html
http://www.<removed>.com/a/index.htm
Upon visiting the sites, users who are not patched for the vulnerabilities from Microsoft will have exploit code run on their machine without user-interatcion. The file is loaded from http://<removed>.com/author3/70/OpenIe.Exe and is designed to capture keystrokes in order to steal information from the user.
Site example screenshot 1:
Site example screenshot 2:
Site example screenshot 3:
Alert update posted on our blog:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=114
Websense Security LabsTM has received reports of new, malicious Web sites which are designed to install Trojan horses. The Web sites are hosted in Korea and Hong Kong. The sites attempt to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.
Users receive an email, written in German, requesting that they visit a Web site to verify their order number. Upon visiting the site, the malicious code is automatically downloaded and run, assuming the user is not patched for the Microsoft vulnerability.
The original site, which is hosted in Korea, appears to have been compromised. An IFRAME pointing to the exploit code site is contained at the bottom of the original site.
The site contains encoded JavaScript which, when decoded, runs the exploit code and downloads an .exe file, update.exe, from a server in Hong Kong (http://<removed>/cosmos/cmp/get.php?file=exe).
Email screenshot:
Encoding example:
Infected site screenshot:
