skip navigationUniversity of Wyoming
UW Home  |  WyoWeb  |  UW A-Z Index  |  UW Directory  |  Search UW  
Information Technology
Information Technology   Hot Page: system status / virus info    IT Home                  A to Z Index              Ask IT     Search IT:
  Services                 Support                   Departments          Training                     About IT  
   

Ouch Index


OUCH Newsletter

Reports On Identity Theft and Attacks On Computer Users from the SANS Institute

Volume 3, No. 3.    March 2006
 

In This Issue

What to Watch Out for This Month
Microsoft February Security Updates
Security Newsbytes
Arrests & Convictions
Late-Breaking News

What to Watch Out for This Month

There were 138 reported Phishing alerts this month, of which 31 involved banks and credit unions. Don't take the bait! Before you respond to any e-mail requests for personal information, call the bank, credit union or other institution. Listed below are banks and credit unions whose account holders were the object of Phishing scams last month.

Information for this report was gathered from various sites including http://www.millersmiles.co.uk/archives/current & http://www.antiphishing.org.

    Abbey
    American Airlines
    Bank of America
    Bank One
    Barclays Bank
    Bellsouth
    Capital One Bank
    Carolina First Bank
    Central Bank*
    Chase Bank
    CitiBank
    Credit Union*
    Credit Union of Texas
    Downey Savings
    First USA Bank
    Flagstar Bank
    Halifax
    HSBC Bank
    JPMorgan Chase & Co
    Lloyds TSB Bank
    NCUA
    North Fork Bank
    Ohio Edu. Credit Union
    Ohio Savings Bank
    Second Bank & Trust
    Suncorp
    TD Canada Trust
    Wells Fargo

*Here is an example of a generic credit union phishing email that usually reads something like this:

To: undisclosed-recipients
Subject: Notification from Credit Union
Importance: High
Credit Union is constantly working to ensure security by regularly screening the accounts in our system.

  1. Phishing Scams

    Subject: Microsoft - New Microsoft Windows Updates HSBRSWDQKX
    Bait: Fake email asking you to confirm/update/verify your account data by clicking on the embedded link so you can "receive activation code for your system"
    Sample:     http://www.millersmiles.co.uk/report/2196

    Subject: Amazon - Urgent Fraud Prevention Group Notice
    Bait: Fake e-mail asking you to confirm/update/verify your account by clicking on the embedded link.
    Sample:     http://www.millersmiles.co.uk/report/2173

    Subject: eBay - Unpaid eBay Item Reminder: #7591035721
    Bait: Fake e-mail asking you to confirm/update/verify your account information by clicking on the embedded link.
    Sample:     http://www.millersmiles.co.uk/report/2149

    Subject: VISA - VISA Credit Card Temporary Suspended !!!
    Bait: Fake e-mail asking you to confirm/update/verify your account by clicking on the embedded link.
    Sample:     http://www.millersmiles.co.uk/report/2148
     

  2. Hoaxes and Scams

    MSN 18 Contacts Hoax - Another in a long line of bogus email messages warning users to forward the email to a minimum of 18 contacts or they will have to pay for MSN and email accounts.
    More information: http://www.hoax-slayer.com/msn-18-contacts.html
     

  3. Virus Alerts

    Just when you thought the Macintosh OS X was safe from computer viruses along comes the first ever Macintosh OS X Worm called OSX/Leap-A. This worm spreads through Apple's iChat instant messaging system. The worm actually forwards itself as a file called "latestpics.tgz" to contacts on the user's Buddy List. It disguises itself by appearing as a JPEG graphic icon.
    More information: http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html

    OSX/Inqtana.A: This is a proof of concept worm that spreads by exploiting the Apple Macintosh OS X BlueTooth Directory Traversal Vulnerability. According to the Anti-virus company SOPHOS, there is also a variant of this called "OSX/Inqtana.B."
    More information:     http://www.symantec.com/avcenter/venc/data/osx.inqtana.a.html

    PWSteal.Metafisher: A Trojan horse that exploits the Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-001) to download remote files. The Trojan also sends bank account and personal information to remote servers.
    More information:     http://www.symantec.com/avcenter/venc/data/pf/pwsteal.metafisher.html

    Mare-D: A worm that exploits vulnerabilities in XML-RPC for PHP and Mambo to infect and spread between machines running Linux. The worm is capable of installing an IRC-controlled backdoor on systems it infects. While the worm has been given a low risk rating, it is noteworthy because it targets Linux systems.
    More information:     http://www.theregister.co.uk/2006/02/20/linux_worm/print.html

Microsoft February Security Updates

As necessary, Microsoft provides new security updates on the second Tuesday of each month and sends a bulletin announcing the update. There were two "critical" updates released in February: MS06-004, and MS06-005. These patch a vulnerability in Internet Explorer and Windows Media Player. There were also five "important" updates released as well: MS06-006, MS06-007, MS06-008, MS06-009 and MS06-010. These patches address various vulnerabilities in Windows Media Player, TCP/IP, Web Client Service, Korean Input Method Editor, and PowerPoint 2000.
More information: http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx

Security Newsbytes

New Hampshire Governor John Lynch said the security of the State's computer system has been breached. The attackers may have been seeking credit card account information belonging to New Hampshire residents. The security breach involved computer and in-person transactions at motor vehicle offices, state liquor stores, and other locations. People who have used credit cards for transactions with the State over the last six months are advised to scrutinize their statements for unauthorized transactions. The breach came to light when State technology experts found monitoring software installed on the system.
More information: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/15/AR2006021502764_pf.html

Sources are now indicating that the compromised debit cards reported earlier are related to two security breaches involving Wal-Mart and OfficeMax. Bank of America, Washington Mutual, and a credit union cancelled 200,000 customer debit cards. The FBI and the Secret Service are investigating. Neither store has commented on their connections to the data breach although Wal-Mart did point to their December 2, 2005 announcement that customer credit card security had been breached at some Sams' Club gas pumps in late September and early October. The FBI also believes that the breach may be connected to an ongoing investigation in Sacramento, CA; that case involves the cancellation of about 1,500 debit cards by the Golden 1 Credit Union.
More information: http://news.com.com/2102-1029_3-6038405.html?tag=st.util.print

Arrests & Convictions

There were 55 suspected hackers arrested in a Brazilian Phishing scam. The gang was said to have stolen $4.6 million from approximately 200 online bank accounts by infecting Internet users' computers with spyware [Trojan horses] to steal confidential information about account numbers and passwords. The Trojan horses were sent to online banking customers via email beginning in May 2005.
More information: http://www.sophos.co.uk/pressoffice/news/articles/2006/02/brphishgang.html

A California man, Christopher Maxwell, 20, was indicted on Federal charges of creating a robot-like network of hijacked computers that helped him and two others bring in $100,000 for installing unwanted ad software.
More information: http://www.computerworld.com/printthis/2006/0,4814,108643,00.html

Late-Breaking News

"Mr. & Mrs. Smith" DVD Ships with Rootkit-like DRM. The German DVD release of "Mr. & Mrs. Smith" contains a DRM (digital rights management) protection scheme that uses rootkit-like cloaking technology.
More information: http://www.eweek.com/article2/0,1895,1926917,00.asp

"The Nyxem Email Virus: Analysis and Inferences" contains interesting facts and is worth reading.
More information: http://www.caida.org/analysis/security/blackworm/

No hearty ha-ha here. Another joke virus program is going around, called: "Joke_Geschenk.A." This one is neither malicious nor funny. Upon execution, it displays a screen with the graphic of Coca-Cola on it and some text. If the "Accept" button is clicked, the user's CD-ROM drive pops open.
More information: http://www.trendmicro.com.au/consumer/vinfo/jokes.php?vJoke=132

Anyone may sign up to get a free copy of this newsletter at www.sans.org/newsletters

Repository of OUCH issues: http://www.sans.org/newsletters/ouch/

Copyright 2006, The SANS Institute.

Editorial Board: Dave Moore, Bill Wyman, Alan Reichert, Barbara Rietveld, Alan Paller

Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product.