skip navigationUniversity of Wyoming
UW Home  |  WyoWeb  |  UW A-Z Index  |  UW Directory  |  Search UW  
Information Technology
Information Technology   Hot Page: system status / virus info    IT Home                  A to Z Index              Ask IT     Search IT:
  Services                 Support                   Departments          Training                     About IT  
   

Ouch Index


OUCH Newsletter

Reports On Identity Theft and Attacks On Computer Users from the SANS Institute

Volume 3, No. 1.    January, 2006
 

OUCH Alert: A very bad series of worms will be spreading the first week in 2006. You will not be able to stay current with all the file names.

The only defense is

  1. keep your antivirus up to date,
  2. do not click on *any* links in emails or instant messages,
  3. do not open *any* attached files this week, and
  4. do not visit *any* new web sites this week, at least until Microsoft figures out how to correct its programming error.

Here's the first example, sending a link to an infected image file named xmas-2006 FUNNY.jpg.
http://www.f-secure.com/weblog/archives/archive-122005.html

In This Issue

What to Watch Out for This Month
Microsoft December Security Updates
Security Newsbytes
Arrests & Convictions
Quiz Time: Phishing, Part 2

What to Watch Out for This Month

  1. Phishing Scams

    There were 96 reported Phishing alerts this month, of which 43 involved banks and credit unions. The danger is still widespread. Information for this report was gathered from various sites including:
    http://www.millersmiles.co.uk/index.php and http://www.antiphishing.org.

      Academy Bank
      Armed Forces Bank
      Bank of America
      Bank of Oklahoma
      Barclays
      CapitalOne Bank
      Chase Bank
      Citibank
      eBay Federal Credit Union
      JPMorgan Chase
      Federal Credit Union
      NatWest
      VISA
      South Trust

    Subject: CapitalOne - Account is on hold
    Bait: Fake e-mail asking you to confirm/update/verify your account data by clicking on the link in the email.
    Goal: To have you visit the Phishing site and divulge your logon information.
    Sample: http://www.millersmiles.co.uk/report/1804

    Subject: Bank of Oklahoma - Account Update
    Bait: Fake e-mail asking you to confirm/update/verify your account by clicking on the embedded link.
    Goal: To have you visit the Phishing site and divulge your logon information
    Sample: http://www.millersmiles.co.uk/report/1801

    Subject: eBay - Question from eBay Member
    Bait: Fake e-mail asking you to confirm/update/verify your account at eBay by clicking on the embedded link.
    Goal: To have you visit the Phishing site and divulge information about your eBay account.
    Sample: http://www.millersmiles.co.uk/report/1795

    Subject: RBC Centura-Update your Web Banking Account
    Bait: Fake e-mail asking you to confirm/update/verify your account data by clicking on the embedded link.
    Goal: To have you visit the Phishing site and divulge your login information.
    Sample: http://www.millersmiles.co.uk/report/1806

    Subject: Credit Union One
    Bait: Fake e-mail asking you to confirm your account status by clicking on the embedded link.
    Goal: Capture as much of your account information as possible.
    Sample: http://www.millersmiles.co.uk/report/1786
     

  2. Hoaxes and Scams

    Car-Jacking Scheme Warning Hoax: A "forwarded" e-mail warning of a new car-jacking scheme in which paper is placed on the back window of parked cars as a ruse to get a driver to exit his or her vehicle and leave it running so that the "thieves" can steal it easily. The entire story is a hoax.
    More information: http://www.hoax-slayer.com/car-jacking-warning.html

    IRS Refund Scam Email: A bogus e-mail, supposedly from the IRS, asks consumers to provide personal information on an equally bogus website in order to claim a likewise bogus tax refund.
    More information: http://www.hoax-slayer.com/irs-phishing-scam.html

    Q33 NY Wingdings Hoax - Elevens and the Wrath of the Eagle: An e-mail claiming that entering Q33 NY while using the Windows Wingdings font will reveal a combination of symbols that reflect the 2001 attack on the Twin Towers. Other claims include that a verse in the Quran predicts US involvement in Iraq and that the number 11 has special significance.
    More information: http://www.hoax-slayer.com/wingdings-911.html
     

  3. Virus Alerts

    Trojan.Lodear.G: A Trojan horse that attempts to download remote files.

    The Trojan may arrive as an e-mail attachment that contains a file named s3700026.exe. The attachment has one of the following names:

    Thomas.zip
    Henry.zip
    William.zip
    Nicholaus.zip
    Edward.zip
    Katheryne.zip
    Nathanyell.zip
    Michael.zip
    Anthonye.zip
    Mychaell.zip
    Danyell.zip

    Note: Do not open zip files unless you were expecting the file from that person.

    More information:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.lodear.g.html

    Virkel.F: Virus arrives as a file claiming to be a leaked version of the Microsoft MSN Messenger client. After a machine is infected, it joins a bot network and awaits instructions from the bot controller. The controller could tell the machine to start spreading the virus, send spam messages, serve up pop-up ads or contribute to a Denial of Service attack. The virus will also send itself to everyone on the infected machines buddy list.

    Impact of viruses-infected computers: Infected Computer Exposes Airport Access Codes: A virus-infected computer used by a Japan Airlines (JAL) co-pilot at home is apparently the source of a leak of 17 security codes that allowed access to restricted areas of airports.

    More information: http://www.kuam.com/news/15973.aspx

Microsoft December Security Updates

As necessary, Microsoft provides new security updates on the second Tuesday of each month and sends a bulletin announcing the updates. There was one "critical" and one "important" update released in December.

The "critical" update (MS05-054) includes a patch for Internet Explorer that addresses the 'zero day exploit' that has been discussed in the media over the last few weeks. If you visit a malicious website without this patch installed, attackers could take complete control of your computer. The MS05-054 patch addresses this issue, helps obviate three other vulnerabilities, and protects against the Sony Rootkit vulnerability. Shavlik Technologies, a security company, recommends installing this patch on unprotected systems as soon as possible
(www.shavlik.com)

The "important" update (MS05-055) addresses a vulnerability in the Windows kernel that could allow attackers to grant themselves access to your system without your knowledge.

More information: http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx

Security Newsbytes

Hackers Break Into Computer Security Firm's Customer Database. A leading provider of software used to diagnose hacker break-ins has itself been hacked, resulting in the exposure of financial and personal data connected to thousands of law enforcement officials and network security professionals.
More information: http://www2.csoonline.com/blog_view.html?CID=15855

Internet Explorer Patch Causing Problems. Microsoft is receiving scattered reports about problems with a security patch it issued for Internet Explorer on December 13th. It has been reported that some links come up blank, that several windows open at once when the browser is started, and that Internet Explorer may "just hang".
More information: http://enterprisesecurity.symantec.com/content.cfm?articleid=6299

eBay Removes Vulnerability Information Listing. Online auction giant eBay shut down the bidding for a vulnerability in Microsoft's Excel spreadsheet program on Thursday. The vulnerability had been offered for sale on its Web site. eBay said that the sale of a flaw in any program violates eBay's policy against encouraging illegal activity. The Excel flaw in question appears to be real and could allow a malicious programmer to craft an Excel file capable of taking control of a Windows computer.
More information: http://www.securityfocus.com/news/11363

Apple Releases a Cumulative Update for the Mac OS X Operating System. The update addresses 13 flaws that could be exploited to allow remote code execution as well as cross-site scripting and spoofing. The most serious flaws are the remote code execution vulnerabilities in the software applications CoreFoundation, Curl, and Safari.
More information: http://isc.sans.org/diary.php?storyid=905

Arrests & Convictions

German police have arrested five men in Bonn on suspicion of stealing _30,000 through Phishing fraud and Trojan horse attacks. A sixth man associated with the group, which is suspected of targeting online Postbank account holders, is said to be on the run. More than 12 million people hold Postbank accounts.
News report: http://news.zdnet.co.uk/internet/security/0,39020375,39181670,00.htm

UK Man Arrested in Phishing Probe. An unnamed man has been released on bail after he was arrested for allegedly sending fraudulent emails claiming to be from Smile, a UK online bank. Apparently, the man hoped that people who received the email would be fooled into disclosing their online passwords.
News report: http://www.spamfo.co.uk/component/option,com_content/task,view/id,260/Itemid,2/

Quiz Time: Phishing Part 2

Do you know the basic steps to help protect your computer from spyware, worms, and other harmful programs? Review some more basics about protecting your PC from these threats.
http://www.microsoft.com/athome/security/quiz/pypcbasics2.mspx

Anyone may sign up to get a free copy of this newsletter at www.sans.org/newsletters

Repository of OUCH issues: http://www.sans.org/newsletters/ouch/

Copyright 2006, The SANS Institute. Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product.