Jump to content

Another Russian Bank Scam


Recommended Posts

Updated July 16th 2004 12:24 UTC

Another Russian Bank Scam

Another Russian Bank Scam. A reader contacted the ISC early on Friday morning to report yet another online banking scam. In this case, the victim receives a forged email from PayPal instructing them that their account appears to have unauthorized access attempts and they need to change their password for their protection. Clicking on the embedded link takes the victim to a web site hosted by a cable modem user near New York City.

If the victim is using Internet Explorer and the browser is not patched for the .chm exploit, the victim's browser is directed to download several files including executables from a web hosting site in Atlanta. The .chm patch is at http://www.microsoft.com/technet/security/...n/ms04-013.mspx

The files on the Atlanta site attempt to capture login and password activity, then upload that information to a data repository at the same site. As of early morning on July 16th there appears to be over 11,000 victims with over 16,000 captured passwords and account information. The data collection starts in early May and is unfortunately still continuing. The Atlanta site has been notified. The Department of Homeland Security and US-CERT have also been notified.

One of the executable files contains the list of banks below. URLs viewed by the ISC in files at the Atlanta site include additional banking and financial sites. The ISC has made the files available to the US-CERT for their investigation.

http://www.ukpersonal.hsbc.co.uk

https://www.halifax-online.co.uk

https://ibank.barclays.co.uk

https://www.nwolb.com

https://webbank.openplan.co.uk

http://login.passport.net/uilogin

http://ukpersonal.hsbc.co.uk

https://halifax-online.co.uk

https://www.ibank.barclays.co.uk

https://nwolb.com

https://www.webbank.openplan.co.uk

http://www.login.passport.net/uilogin

https://www.e-gold.com

https://bank-gold.com

https://webbank.openplan.co.uk

https://online.lloydstsb.co.uk/customer

http://www.privatebanking.lloydstsb-offshore.com

https://evocashld.com

https://e-bullion.com

https://pecunixld.com

Again, this scam will not work if Internet Explorer is properly patched. Mozilla, Netscape, Opera, and other browsers are not affected by this.

Many thanks to ISC Handlers Lorna Hutcheson and John Bambenek for their extraordinary efforts during the early hours of Friday morning.

Marcus H. Sachs

Handler on Duty

Previous

Link to ISC © 2002-2004 The SANS Institute

SANS Web Privacy Policy: www.sans.org/privacy.php

http://isc.sans.org/diary.php

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...