Date: Tue, 3 May 2005 14:47:50 -0400 (EDT) From: BCPLNET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: SANS "OUCH" Report May 2, 2005 -------------------------------------------- SANS INSTITUTE OUCH REPORT FOR MAY 2, 2005 -------------------------------------------- The "OUCH Report" is a monthly security alert e-newsletter published by the SANS Institute (www.sans.org) for redistribution to non-technical customers and staff. The latest issue of OUCH is below. Many of the threats described are blocked by our Barracuda Spam and Virus Firewall, but not all. No firewall can ever be 100% effective so we urge you to be alert for these and other potential threats against you and your computer. **************************************************************** OUCH: The Report On Identity Theft and Attacks On Computer Users Volume 2, No. 5 May 02, 2005 **************************************************************** Major threat this month: Three New Exploits Out for New Microsoft Security Holes. Three new Microsoft patches were released. In less than 24 hours of the release, security researchers published instructions that showed would-be attackers just how to exploit at least two of the flaws to break into vulnerable PCs! Where you can read more on this story: http://blogs.washingtonpost.com/securityfix/2005/04/three_exploits_.html Additional threat this month: Eight New Security Updates for Windows Microsoft Corp. released eight software security updates for computers running its Windows operating system. The eight patches mend at least 18 different security holes in a variety of Microsoft products. Where you can read more on this story: http://blogs.washingtonpost.com/securityfix/2005/04/the_fix_is_in_e.html ************************ Alert: When you update your Windows computer, you usually must get both the Windows updates and Microsoft Office updates. It is important to note that not only are the critical patches for your browser is required, you might have to update the others as well. They are available at different sites, which are: Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/en-us/officeupdate/default.aspx Additional patches for people in the military. You must be at a .mil site yourself to access them: https://patches.mont.disa.mil/index.jsp (.mil address only) https://ceds.ssg.gunter.af.mil/enosc/index.asp (.mil address only) ************************ What To Avoid This Month I. Email from people trying to get you to divulge private details. These are often trying to steal your identity (and your money) I.1 Wells Fargo Bank - Posibile (sic) Debit Card Theft I.2 Western Union - Final Notice - Avoid service cancellation I.3 Associated Bank - Online Banking Support Message I.4 Complex Community Federal Credit Union - Account Update I.5 Bank of America - Online Banking Alert (Change of Email Address) I.6 Ameritrade - Ameritrade Online Application II. Virus/Hoax Alerts II.1 Troj/DSNX-05 (virus) II.2 Fontal-A (virus) (Cell phones) II.3 Sober-N (virus) II.4 Troj/CashGrab-A (virus) III. Important Information III.1 Apple Issues 8 Security Updates for Mac OS X, Safari III.2 New Opera Browser Adds Security Features III.3 Warning about Pharming Attacks and DNS Servers III.4 Critical Firefox flaws targeted by exploit code III.5 No patch for critical Windows flaw IV. Phishers target Yahoo Messenger V. Va. Lawmakers Aim to Hook Cyberscammers VI. Microsoft Seeks to Identify Phishing Scam Authors VII. Arrests, Convictions, Sentences VII.1 Estonian Police Arrest Alleged Internet Bank Thief VII.2 Blaster Author Will Do Community Service VII.3 Spammer sentenced to nine years in prison ****************************** More Details About Things To Avoid I. Email from people trying to steal your identity (and your money) I.1 Wells Fargo Bank - Posibile (sic) Debit Card Theft The Bait: Update your debit information. What it tries to make you do: Click on the link within the email. Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050403a.htm I.2 Western Union - Final Notice - Avoid service cancellation The Bait: Wanting you to confirm your account information. What it tries to make you do: Click on the suspect link. Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050404b.htm I.3 Associated Bank - Online Banking Support Message The Bait: Try and get you to reactivate your account What it tries to make you do: Click on the link within the email. Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050407a.htm I.4 Complex Community Federal Credit Union - Account Update The Bait: Update your billing information. What it tries to make you do: Click on the provided link within the email Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050413a.htm I.5 Bank of America - Online Banking Alert (Change of Email Address) The Bait: Warning you that your primary email address changed. What it tries to make you do: Click on the link within the email Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050421b.htm I.6 Ameritrade - Ameritrade Online Application The Bait: New account funding for Ameritrade. What it tries to make you do: Click on the URL link Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050422a.htm ****************************** II. Virus/Hoax Alerts: A number of email scams have been distributed. II.1 Troj/DSNX-05 (virus) The Bait: Emails being sent claim to come from "Windows Update". Method of Infection: User clicks on link in email leading to infected website Where you can read more on this: http://www.sophos.com/virusinfo/articles/fakemsupdate.html II.2 Fontal-A (virus) (Cell phones) Method of Infection: When the Fontal.A SIS file is installed on cell phone. Where you can read more on this: http://www.f-secure.com/v-descs/fontal_a.shtml II.3 Sober-N (virus) The Bait: Email claims sender has several misaddressed emails originating from the recipient. Method of Infection: An infected ZIP attachment to messages written in either German or English. Where you can read more on this: http://www.theregister.co.uk/2005/04/19/sober_worm_panic/ http://www.f-secure.com/v-descs/sober_n.shtml II.4 Troj/CashGrab-A (virus) Method of Infection: Troj/CashGrab-A is a password-stealing Trojan aimed at customers of banking websites. Where you can read more on this: http://www.sophos.com/virusinfo/analyses/trojcashgraba.html ****************************** III. Important Information: III.1 Apple has released 8 new security patches for its Mac OS X operating system, including one for Safari, Apple's Web browser. Where you can read more on this story: http://blogs.washingtonpost.com/securityfix/2005/04/apple_issues_8_.html III.2 Makers of the Opera Web browser have released a new version of their software that has several new security features, including improvements designed to thwart phishing scams. Where you can read more on this story: http://blogs.washingtonpost.com/securityfix/2005/04/new_opera_brows.html III.3 A new round of so-called "pharming" attacks is targeting the .com Internet domain, redirecting some Internet users who are looking for .com Web sites to Web pages controlled by the unknown attackers Where you can read more on this story: http://enterprisesecurity.symantec.com/content.cfm?articleid=5520 III.4 A wake-up call for those who ditched Internet Explorer for Firefox Where you can read more on this story: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1080895,00.html?track=NL-358&ad=511998 III.5 Microsoft failed to provide a patch for a critical vulnerability in its Windows Explorer that could allow command execution. Microsoft was notified of the flaw on Jan. 18 Where you can read more on this story: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1081511,00.html?track=NL-358&ad=511998 ****************************** IV. Phishers target Yahoo Messenger According to experts, Yahoo's free instant-messaging service is being targeted by phishers attempting to steal usernames, passwords and other personal information Where you can read more on this story: http://news.com.com/2102-7349_3-5634007.html?tag=st.util.print ****************************** V. Va. Lawmakers Aim to Hook Cyberscammers Starting July 1, Those Who 'Phish' for Personal Data Online Can Be Prosecuted in Virginia. Where you can read more on this story: http://www.washingtonpost.com/wp-dyn/articles/A40578-2005Apr9.html ****************************** VI. Microsoft Seeks to Identify Phishing Scam Authors Microsoft Corp. has heightened efforts to crack down on Internet fraud, announcing that it filed more than a hundred lawsuits aimed at identifying people the company says targeted its e-mail and Internet service customers through "phishing" scams Where you can read more on this story: http://www.washingtonpost.com/wp-dyn/articles/A16257-2005Mar31.html ****************************** VII. Arrests, Convictions, Sentences VII.1 Estonian police have arrested a 24-year-old man suspected of stealing money from numerous bank accounts. Where you can read more on this story: http://www.securityfocus.com/printable/news/10808 VII.2 Microsoft has asked that Jeffrey Lee Parson, the man who created a Blaster variant, be required to serve 225 hours of community service in lieu of a $500,000 fine Where you can read more on this story: http://www.computerworld.com/printthis/2005/0,4814,100760,00.html VII.3 Jeremy Jaynes sentenced to nine years in prison under Virginia's anti-spam law for sending millions of e-mail messages to America Online customers. Where you can read more on this story: http://weblog.infoworld.com/techwatch/archives/001256.html ==end== Copyright 2005, The SANS Institute. Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/