Date: Mon, 10 Jan 2005 11:04:19 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: SANS OUCH Report January 1, 2005 ---------------------------------------------- SANS INSTITUTE OUCH REPORT FOR JANUARY 1, 2005 ---------------------------------------------- The "OUCH Report" is a monthly security alert e-newsletter published by the SANS Institute (www.sans.org) meant for redistribution to non-technical customers and staff. The latest issue of OUCH is below. I hope you find it informative. As usual, a great deal of the report is devoted to current "Phishing" scams. For more information about Phishing, see the description on the front page of our Web site at http://www.bcpl.net . **************************************************************** OUCH: The Report On Identity Theft and Attacks On Computer Users Volume 2, No. 1. January 01, 2005 **************************************************************** Many people were fooled by the Christmas Greeting worm: A new virus has been going around wishing everyone a Merry Christmas. Anti-virus vendors have several names for this virus, including W32.Erkez.D@mm (Symantec) or W32/Zafi.d@MM (McAfee, Trend Micro). This virus will use several subject lines to try to get you to open up an enclosed file. Be extra careful with this one because it will send itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door onto the computer. Where you can read more on this story: http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html ************************ Important Note: When you update your Windows computer, you usually must get both the Windows updates and Microsoft Office updates. They are at different sites, which are: Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/en-us/officeupdate/default.aspx ************************ What To Avoid This Month ************************ I. Email from people trying to get you to divulge private details. These are often trying to steal your identity (and your money) I.1 eBay Billing Information Update I.2 eBay Safe Harbor Notice I.3 Please Save My Situation I.4 SunTrust Phishing email-"Security Alert on Microsoft Internet Explorer" I.5 Washington Mutual Phishing email - "Confirm your Online Banking account" I.6 eBay email - "Credit/Debit card Update." I.7 Debit Card Alert II. Virus/Hoax Alerts II.1 W32.Atak.F@mm II.2 VBS.Sorpe.B@mm II.3 VBS.Sorpe.A@mm III. Covert Phishing scam lies in wait for its victims IV. Important Phishing Information IV.1 Canada has interesting information on what Internet users should do about Phishing schemes IV.2 Let's take the Phishing Quiz Again for the Holidays V. Phishing Web Sites Grew by 33 Percent in November VI. Internet Fraud Complaint Center VII. Hacked Web Sites Used To Install Parasites ********************************** More Details About Things To Avoid ********************************** I. Email from people trying to steal your identity (and your money) I.1 eBay Billing Information Update: The Bait: An email sent to you stating that your eBay billing updates are out of order and to update your personal information. What it tries to make you do: Get you to fill our your personal information such as name and credit card information. Where you can see how it actually appears: http://www.millersmiles.co.uk/identitytheft/121904-eBay-Billing-Information-Update.php I.2 eBay Safe Harbor Notice The Bait: An email stating your eBay account will be suspended within 48 hours after receiving the email. What it tries to make you do: Get you to change your personal information due to unauthorized access on your account Where you can see how it actually appears: http://www.millersmiles.co.uk/identitytheft/121704-Safe-Harbor-Notice.php I.3 Please Save My Situation The Bait: An email falsely promising to pass along large amounts of money to you, while in fact just gathering lots of personal information about you. This is in the same style as the Nigerian '419' scams you may have read about. Where you can see how it actually appears: http://www.millersmiles.co.uk/identitytheft/121704-PLEASE-SAVE-MY-SITUATION.php I.4 SunTrust Phishing email-"Security Alert on Microsoft Internet Explorer" The Bait: An email that arrives in your mailbox promising to add better security features for your online banking. What it tries to make you do: Click on a link in the email to update your security installation. Where you can see how it actually appears: http://www.fraudwatchinternational.com/fraud_alerts/041111_3503_suntrust.htm I.5 Washington Mutual Phishing email-"Confirm your Online Banking account" The Bait: An unexpected email that arrives in your mailbox explaining that your account was accessed multiple times. What it tries to make you do: Open the link and verify your personal information. Where you can see how it actually appears: http://www.fraudwatchinternational.com/fraudalerts2/0412/pages/041218_4546_wamu.htm I.6 eBay email - "Credit/Debit card Update." The Bait: Multiple login failures to your account What it tries to make you do: Click on a link within the email to update your account. Where you can see how it actually appears: http://www.fraudwatchinternational.com/fraudalerts2/0412/pages/041218_4534_ebay.htm I.7 Debit Card Alert The Bait: Update your ATM card information What it tries to make you do: Fill out the form in email Where you can see how it actually appears: http://www.millersmiles.co.uk/identitytheft/121904-Debit-Card-Alert.php ****************************** II. Virus/Hoax Alerts: II.1 W32.Atak.F@mm The Bait: An unexpected email that arrives in your mailbox with various subject lines such as 'Merry X-Mas', 'Happy New Year' What it tries to make you do: Open the attached file. When you open it you are infected with this virus. Where you can see how it actually appears: http://securityresponse.symantec.com/avcenter/venc/data/w32.atak.f@mm.html II.2 VBS.Sorpe.B@mm The Bait: An email that arrives in your mailbox with various subject lines such as 'A friendly reminder to ALL online bank users', 'Fw: Reminder to be aware of internet scams' and numerous others. What it tries to make you do: Open the attached file. Opening the attachment causes the virus to infect your computer. Where you can read more on this story: http://securityresponse.symantec.com/avcenter/venc/data/vbs.sorpe.b@mm.html II.3 VBS.Sorpe.A@mm The Bait: An email that arrives in your mailbox with various subject lines such as 'Microsoft Updates News ', 'Service Pack 2 Updates News' and numerous others. Where you can read more on this story: http://securityresponse.symantec.com/avcenter/venc/data/vbs.sorpe.a@mm.html *** Remember that Microsoft never sends patches or updates through the email; they are available for download only through the links above, or through the Automated Update Service on your Windows System Tray. ****************************** III. Covert Phishing scam lies in wait for its victims: According to experts, this is a low risk for now, but this could be a sign of worse things to come. Experts have stated that a phishing scam has been detected which will not require you to click on a link in the email in order to gather your personal data while banking online. Where you can read more on this story: http://software.silicon.com/security/0,39024655,39125549,00.htm ****************************** IV. Important Phishing Information: IV.1 The United States and Canada have jointly issued a publication describing phishing and giving the public information on what to do about it. This is an excellent overview and well worth a look. It has some really good information on what Internet users should do about phishing schemes as well as some facts and how phishing occurs. Where you can read more on this story: http://www.psepc.gc.ca/publications/policing/phishing_e.asp IV.2 Let's take the Phishing Quiz for the Holidays: There are some things that should be repeated during the holidays, like the Phishing Quiz. This quiz will test your phishing knowledge. Where you can take the quiz: http://survey.mailfrontier.com/survey/quiztest.html ****************************** V. Phishing Web Sites Grew by 33 Percent in November: According to a recent article published by InfoWorld it states that the number of phishing web sites associated with online identity theft scams grew by 33 percent in November. Where you can read more on this story: http://enterprisesecurity.symantec.com/content.cfm?articleid=5125&PID=182998&EID=815 ****************************** VI. Do you want to be sure that you really are at the right web page? Is it a scam? Here is a simple and easy way for anyone to check to see if the site they are visiting is actually a real site or a scam site. Where you can read more on this story: http://www.millersmiles.co.uk/identitytheft/spoof-link-checker.php ****************************** VII. Hacked Web Sites Used To Install Parasites Security researchers are warning of a new method of installing unwanted parasitic software onto the computers of unsuspecting victims who use Microsoft Internet Explorer (MSIE). The two best ways to avoid having your computer compromised by this threat are to make certain you are completely up-to-date with all Microsoft patches (using the links above), and consider using a Browser other than Internet Explorer. Other options include Mozilla Firefox, Netscape and Opera. This made the news back in June as seen in the following link: http://edition.cnn.com/2004/TECH/internet/06/25/internet.attack/index.html Those who are interested in the technical details may wish to read the more technical write-up here: http://www.vitalsecurity.org/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf ==end== Copyright 2004, The SANS Institute. Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is FOR PERSONAL USE, OR INTERNALLY WITHIN A COMMERCIAL ORGANIZATION, AND not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/