Date: Tue, 31 May 2005 12:17:01 -0400 (EDT) From: BCPLNET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: SANS "Ouch" Report June 1, 2005 ------------------------------------------- SANS INSTITUTE OUCH REPORT FOR June 1, 2005 ------------------------------------------- The "OUCH Report" is a monthly security alert e-newsletter published by the SANS Institute (www.sans.org) for redistribution to non-technical customers and staff. The latest issue of OUCH is below. Many of the threats described are blocked by our Barracuda Spam and Virus Firewall, but not all. No firewall can ever be 100% effective so we urge you to be alert for these and other potential threats against you and your computer. **************************************************************** OUCH: The Report On Identity Theft and Attacks On Computer Users Volume 2, No. 6. June 01, 2005 **************************************************************** Major threats this month: New Threats Target IM Users Users of Yahoo and AOL instant messaging are being warned this week of two new threats that spread via IM. One worm spreads via AIM, while a phishing scam travels by Yahoo Messenger. Where you can read more on this story: http://www.pcworld.com/resource/printable/article/0,aid,120994,00.asp ************************ Where to get the Latest Patches: When you update your Windows computer, you must get the Windows updates and check for any Microsoft Office updates. It is important to note that not only are the critical patches required; you might have to update the others as well. Remember: Hackers already know how to utilize these holes within your programs to get into the computer. See the link below for examples on how to patch your computer. http://www.its.monash.edu.au/security/home/patching.html ************************ Patch Sites: Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/en-us/officeupdate/default.aspx Several Patch Sites for various applications and Windows Updates: http://www.softwarepatch.com And two others that may be accessed only by people using .mil addresses: https://patches.mont.disa.mil/index.jsp https://ceds.ssg.gunter.af.mil/enosc/index.asp ************************ What To Avoid This Month I. Email from people trying to get you to divulge private details. These are often trying to steal your identity (and your money) I.1 Citizens Bank- 'Citizens Bank Instant 5 USD reward survey' I.2 Marshall & Ilsley Bank- 'Security Update!' I.3 Paypal- 'Update Account.' I.4 eBay- 'Update Your Account' I.5 SouthTrust- 'Important Security Issue !!!' I.6 Paypal- 'Unauthorized Account Access' I.7 State Employees' Credit Union I.8 ANZ Bank - ANZ Verification Service I.9 Royal Bank Urgent Notice - Verify your account activity I.10 North Fork Bank - IMPORTANT NOTICE I.11 America First Credit Union - Membership Maintenance I.12 People's Bank - Official information for all People's Bank clients I.13 1st Mariner Bank - Online Banking II. Virus/Hoax Alerts II.1 W32/Kelvir.worm.bh (virus) II.2 Joke-OpenCloseCD (practical joke) II.3 W32/Mytob-AK (virus) II.4 Troj/Gpcode-B (virus) III. Phishing Information III.1 Phishing gets personal III.2 Phishing attacks take a new twist III.3 Phishers turn DNS (Domain Name Servers) against authorities IV. Phony Microsoft Update eMail Infects Computers with Malware V. FTC Targets Zombie Spammers VI. MasterCard Closes Down More Than 1,400 Phishing Sites VII. Arrests/Convictions VII.1 ID Theft Alleged at D.C. Blockbuster VII.2 eBay hacker jailed VII.3 Man Sentenced to 21 Months for Infecting DOD Computers VII.4 Teen Pleads Guilty to DoS Attacks ****************************** More Details About Things To Avoid I. Email from people trying to steal your identity (and your money) I.1 Citizens Bank Instant 5 USD reward survey The Bait: Bank is conducting a survey and will give you $5 for participating The Goal: Steal your ATM card number, PIN and expiration date Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/04-25-05_Citizens/04-25-05_Citizens.html I.2 Marshall & Ilsley Bank- 'Security Update!' The Bait: Warning of unauthorized account access and access to certain information has been disabled The Goal: Steal your ATM card information, SSN, name and e-mail address Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/04-27-05_M&I/04-27-05_M&I.html I.3 Paypal- 'Update Account.' The Bait: Warning of outdated billing information and failure to update it will result in account termination The Goal: Steal your credit card and other personal information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/04-29-05_Paypal/04-29-05_Paypal.html I.4 eBay- 'Update Your Account' The Bait: During regular account maintenance they were unable to verify your account information. Failure to respond will result in termination of the account The Goal: Steal your e-bay login information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/05-03-05_Ebay/05-03-05_Ebay.html I.5 SouthTrust- 'Important Security Issue !!!' The Bait: Warning of unauthorized account access and access to certain information has been disabled The Goal: Steal your login and ATM card information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/05-09-05_Southtrust/05-09-05_Southtrust.html I.6 Paypal- 'Unauthorized Account Access' The Bait: Warning of unusual login attempts from a foreign address The Goal: Steal your login, credit card, banking and personal information. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/05-10-05_Paypal/05-10-05_Paypal.html I.7 State Employees' Credit Union The Bait: Warning of outdated account information and failure to update it will result in account suspension The Goal: Steal your banking information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050512a.htm I.8 ANZ Bank - ANZ Verification Service The Bait: Random selection for banking verification of account and failure to respond will result in account termination The Goal: Steal your login information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050512d.htm I.9 Royal Bank Urgent Notice - Verify your account activity The Bait: Warning of unauthorized account access and failure to respond will result in account suspension The Goal: Steal your login information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050515a.htm I.10 North Forth Bank - IMPORTANT NOTICE The Bait: Warning of unauthorized account access and failure to respond will result in account suspension The Goal: Steal your login, personal and ATM card information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050516a.htm I.11 America First Credit Union - Membership Maintenance The Bait: Verify your account information and failure to respond will result in account suspension The Goal: Steal your login, personal and ATM card information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050516b.htm I.12 People's Bank - Official information for all People's Bank clients The Bait: Site has been upgraded and to ensure that your browser will work you need to login and verify information The Goal: Steal your login, credit card, and personal information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050518a.htm I.13 1st Mariner Bank - Online Banking The Bait: Upgraded security for bank and user should update your personal records The Goal: Steal your login and debit card information Where you can see how it actually appears: http://www.trendmicro.com/en/security/phishing/overview/phish050520a.htm ****************************** II. Virus/Hoax Alerts II.1 W32/Kelvir.worm.bh (virus) The Bait: Encourages people to visit a particular web site Where you can read more on this: http://vil.nai.com/vil/content/v_133908.htm II.2 Joke-OpenCloseCD (practical joke) What it tries to make you do: Open the email enclosure "CD.EXE" Where you can read more on this: http://vil.nai.com/vil/content/v_133682.htm II.3 W32/Mytob-AK (virus) What is tries to make you to: Open email with attachment about your bank documents Where you can read more on this: http://www.sophos.com/virusinfo/analyses/w32mytobak.html II.4 Troj/Gpcode-B (virus) The Bait: Email with attachment about your bank documents Where you can read more on this: http://www.sophos.com/virusinfo/analyses/trojgpcodeb.html ****************************** III. Phishing Information: III.1 A new form of Phishing attack now uses stolen information to lure you into divulging additional sensitive information Where you can read more on this story: http://news.zdnet.com/2100-1009_22-5706305.html III.2 Several researchers at a security software company detected a rise in schemes involving malicious programs known as keyloggers. Where you can read more on this story: http://news.com.com/2102-1029_3-5695874.html?tag=st.util.print III.3 Phishing scammers are targeting DNS servers, security experts have warned. This now makes it significantly harder to shut down phishing sites. Where you can read more on this story: http://www.techworld.com/applications/news/index.cfm?NewsID=3609 ****************************** IV. Phony Microsoft Update eMail Infects Computers with Malware Another phony Microsoft security update is circulating, timed to coincide with the company's monthly security release for May. Where you can read more on this story: http://www.techweb.com/wire/security/163105391 ****************************** V. FTC Targets Zombie Spanners The Federal Trade Commission (FTC) has launched a new anti-spam campaign to target hijacked or "zombie" computers.. Where you can read more on this story: http://www.internetnews.com/security/article.php/3507396 ****************************** VI. MasterCard Closes Down More Than 1,400 Phishing Sites MasterCard's Operation Stop IT project has resulted in the shuttering of many sites that had been used for phishing and spoofing. Where you can read more on this story: http://asia.cnet.com/news/security/0,39037064,39230987,00.htm ****************************** VII. Arrests and Convictions VII.1 An employee of a Blockbuster video store has been indicted on charges of stealing customer identities, then using them to purchase more than $117,000 in trips, electronics and other goods, including a Mercedes-Benz Where you can read more on this story: http://www.endidtheft.com/bnews/news_42605.htm VII.2 According to Officials, a former Los Alamos National Laboratory computer specialist was sentenced to eight months in prison on Monday for hacking into and damaging the computers of several hi-tech companies Where you can read more on this story: http://www.crime-research.org/news/27.04.2005/1186/ VII.3 Raymond Paul Steigerwalt has been sentenced to 21 months in prison and ordered to pay US$12,000 in restitution for his role in the release of a computer worm that affected US Department of Defense computers. Where you can read more on this story: http://www.theregister.co.uk/2005/05/11/tk_worm_kiddo_jailed/ VII.4 Teen Pleads Guilty to DoS Attacks between July and December 2004 that targeted an online clothing store and other e-commerce businesses Where you can read more on this story: http://www.phillyburbs.com/pb-dyn/news/112-05142005-489320.html ==end== Copyright 2005, The SANS Institute. Editor: David Moore. Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/