Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-11-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

An anti-virus goof; security awareness; and a return visit from some old friends; phishers, and sasser

Published: 2004-11-17
Last Updated: 2004-11-18 03:20:50 UTC
by Dan Goldberg (Version: 1)
0 comment(s)
The day started out with a potential disaster that seemed to avert itself fairly quickly. A report came in regarding an anti-virus package marking java .class files as infected. This could cause a lot of mayhem. Fortunately the vendor caught this fairly quickly and posted an update. So if your AV is behaving in this way then please go check the vendor for an update.

I am not mentioning the vendor since they do not need the publicity and their customers know who they are.

Lets talk about security awareness for a minute. No really, wake up, sit down and read this! The biggest events of the day from where I sit were related to phishing, which brings a useful newsletter to mind. The SANS OUCH! or OUCH: The Report On Identity Theft and Attacks On Computer Users
It is a bi-weekly newsletter covering the latest phishing and social engineering threats. It is addressed to users not technical folks. Go check it out at http://www.sans.org/newsletters/ouch/

Old friends

So the phishing instances I saw targeted Suntrust Bank. The interesting part that I nearly missed (thanks Tom Liston for being more persistent than I) is that they are checking the user agent of the browser. User Agents (browsers) they are not prepared to fool get redirected to the actual back site. But vulnerable browsers such as IE 5.5 and 6 get the full enchilada, a phony bank site. After 2 failed logins (third time is the charm) the user gets sent to a form where they can validate their credit card per the email that directs them there. This is all standard stuff except for the user agent part.

The next phish targeted Paypal users saying:
This email confirms that you have paid phonebuyer
(phonebuyer451@yahoo.com) $278.99 USD using
PayPal.
And provides a bogus link to protest the fee. All in all nothing new. This ends the awareness session.

We had a minor bout of sasser brought to our attention as well late in the day. Serving as a reminder to me, we can not forget yesterday's troubles yet. They are still there and will come back to get us - we have to stay sharp.

Cheers!

Dan Goldberg

dan /at/madjic /dot/net

MADJiC Consulting, Inc
Keywords:
0 comment(s)
Diary Archives