ICQ/MSN Messenger Fraud
We received notice about fraudulent messages sent via ICQ and MSN Messanger,
urging users to visit various websites to download Windows patches. While these
websites resemble 'official' Microsoft sites, the patch is in fact a trojan
horse. If installed, the trojan horse will connect to an IRC server and
participate in a "botnet" which could be used to portscan or to launch DDOS
attacks.
It has become a common tactic to impersonate well known web sites to either
trick the user into revealing personal information or to download and install
trojans. This class of attacks, commonly known as "cognitive hacking" represent
a variation of social engineering attacks and are not easily defeated by
technical means. User education is the number one defense. We do urge system
administrators to educate users about commonly used techniques.
In this case, a number of hints indicate that the site is not authentic:
The message arrives via MSN or ICQ. Microsoft will never use either service to notify users of patches. Either instant messanger service should not be considered
"secure". One has to understand that neither service uses encryption to transmit
messages, and authentication is weak.
The URL does not use a domain name, but an IP address. The site is not using
https, but plain http. While https can be used to make a 'fake' site look more
authentic, it adds an extra layer of complexity most malware authors avoid.
The url includes javascript code to maximize the window. Likely, this is done
to conceal the fact that the site is not using http (the 'lock' icon moves off
the screen). More sophisticated impostures will move the actual task bar of the
screen and replace it with its own image of a 'secure' task bar.
Immediate measures:
We do recommend blocking access to the following IPs and sites used in this
scam:
200.152.5.119
212.78.206.150
209.126.216.36
upon joining the IRC channel, the 'bots' are currently instructed to 27374 and
1243. The installed binary is 'scan.exe'. While scan.exe is not currently
detected as a virus, it will uncompress itself and extract several components
which are detected by virus scanners.
Just a reminder: there are likely variations of this basic scheme. Please do
NOT take these instructions too specific. More generic, outbound IRC traffic,
and outbound scans of port 27374 and 1243 are always suspicious.
------
Matt Scarborough contributed to this report.
Please send feedback to isc@sans.org
urging users to visit various websites to download Windows patches. While these
websites resemble 'official' Microsoft sites, the patch is in fact a trojan
horse. If installed, the trojan horse will connect to an IRC server and
participate in a "botnet" which could be used to portscan or to launch DDOS
attacks.
It has become a common tactic to impersonate well known web sites to either
trick the user into revealing personal information or to download and install
trojans. This class of attacks, commonly known as "cognitive hacking" represent
a variation of social engineering attacks and are not easily defeated by
technical means. User education is the number one defense. We do urge system
administrators to educate users about commonly used techniques.
In this case, a number of hints indicate that the site is not authentic:
The message arrives via MSN or ICQ. Microsoft will never use either service to notify users of patches. Either instant messanger service should not be considered
"secure". One has to understand that neither service uses encryption to transmit
messages, and authentication is weak.
The URL does not use a domain name, but an IP address. The site is not using
https, but plain http. While https can be used to make a 'fake' site look more
authentic, it adds an extra layer of complexity most malware authors avoid.
The url includes javascript code to maximize the window. Likely, this is done
to conceal the fact that the site is not using http (the 'lock' icon moves off
the screen). More sophisticated impostures will move the actual task bar of the
screen and replace it with its own image of a 'secure' task bar.
Immediate measures:
We do recommend blocking access to the following IPs and sites used in this
scam:
200.152.5.119
212.78.206.150
209.126.216.36
upon joining the IRC channel, the 'bots' are currently instructed to 27374 and
1243. The installed binary is 'scan.exe'. While scan.exe is not currently
detected as a virus, it will uncompress itself and extract several components
which are detected by virus scanners.
Just a reminder: there are likely variations of this basic scheme. Please do
NOT take these instructions too specific. More generic, outbound IRC traffic,
and outbound scans of port 27374 and 1243 are always suspicious.
------
Matt Scarborough contributed to this report.
Please send feedback to isc@sans.org
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago