Date: Mon, 6 Mar 2006 09:07:48 -0500 (EST) From: BCPLNET SysAdmin To: BCPL.NET News Subject: [BCPL.NET NEWS] SANS "Ouch" Report March 2006 ------------------------------------------ SANS INSTITUTE OUCH REPORT FOR MARCH, 2006 ------------------------------------------ The "OUCH Report" is a monthly security alert e-newsletter published by the SANS Institute (www.sans.org) for redistribution to non-technical customers and staff. After several months of providing the report in a format not suitable for e-mail redistribution, SANS is again providing it in plain text. The latest issue of OUCH is below. We hope you find it informative. Many of the threats described below are blocked by our Barracuda Spam and Virus Firewall. However no firewall can ever be 100% effective, so we urge you to be alert for these and other potential threats against you and your computer. *********************************************************************** OUCH! SANS Institute Security Newsletter for Computer Users Volume 3, Number 3 March 2006 *********************************************************************** In This Issue What to Watch Out for This Month - Microsoft February Security Updates - Security Newsbites - Arrests and Convictions - Late-Breaking News *********************************************************************** What to Watch Out for This Month There were 138 reported Phishing alerts this month, of which 31 involved banks and credit unions. Don't take the bait! Before you respond to any e-mail requests for personal information, call the bank, credit union or other institution. Listed below are banks and credit unions whose account holders were the object of Phishing scams last month. Information for this report was gathered from various sites including http://www.millersmiles.co.uk/archives/current & http://www.antiphishing.org. Abbey American Airlines Bank of America Bank One Barclays Bank Bellsouth Capital One Bank Carolina First Bank Central Bank* Chase Bank CitiBank Credit Union* Credit Union of Texas Downey Savings First USA Bank Flagstar Bank Halifax HSBC Bank JPMorgan Chase & Co Lloyds TSB Bank NCUA North Fork Bank Ohio Edu. Credit Union Ohio Savings Bank Second Bank & Trust Suncorp TD Canada Trust Wells Fargo *Here is an example of a generic credit union phishing email that usually reads something like this: To: undisclosed-recipients Subject: Notification from Credit Union Importance: High Credit Union is constantly working to ensure security by regularly screening the accounts in our system. *********************************************************************** 1. Phishing Scams - - Subject: Microsoft - New Microsoft Windows Updates HSBRSWDQKX Bait: Fake email asking you to confirm/update/verify your account data by clicking on the embedded link so you can "receive activation code for your system" Sample: http://www.millersmiles.co.uk/report/2196 - - Subject: Amazon - Urgent Fraud Prevention Group Notice Bait: Fake e-mail asking you to confirm/update/verify your account by clicking on the embedded link. Sample: http://www.millersmiles.co.uk/report/2173 - - Subject: eBay - Unpaid eBay Item Reminder: #7591035721 Bait: Fake e-mail asking you to confirm/update/verify your account information by clicking on the embedded link. Sample: http://www.millersmiles.co.uk/report/2149 - - Subject: VISA - VISA Credit Card Temporary Suspended !!! Bait: Fake e-mail asking you to confirm/update/verify your account by clicking on the embedded link. Sample: http://www.millersmiles.co.uk/report/2148 2. Hoaxes and Scams - - MSN 18 Contacts Hoax - Another in a long line of bogus email messages warning users to forward the email to a minimum of 18 contacts or they will have to pay for MSN and email accounts. More information: http://www.hoax-slayer.com/msn-18-contacts.html 3. Virus Alerts - - Just when you thought the Macintosh OS X was safe from computer viruses along comes the first ever Macintosh OS X Worm called OSX/Leap-A. This worm spreads through Apple's iChat instant messaging system. The worm actually forwards itself as a file called "latestpics.tgz" to contacts on the user's Buddy List. It disguises itself by appearing as a JPEG graphic icon. More information: http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html - - OSX/Inqtana.A: This is a proof of concept worm that spreads by exploiting the Apple Macintosh OS X BlueTooth Directory Traversal Vulnerability. According to the Anti-virus company SOPHOS, there is also a variant of this called "OSX/Inqtana.B." More information: http://www.symantec.com/avcenter/venc/data/osx.inqtana.a.html - - PWSteal.Metafisher: A Trojan horse that exploits the Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-001) to download remote files. The Trojan also sends bank account and personal information to remote servers. More information: http://www.symantec.com/avcenter/venc/data/pf/pwsteal.metafisher.html - - Mare-D: A worm that exploits vulnerabilities in XML-RPC for PHP and Mambo to infect and spread between machines running Linux. The worm is capable of installing an IRC-controlled backdoor on systems it infects. While the worm has been given a low risk rating, it is noteworthy because it targets Linux systems. More information: http://www.theregister.co.uk/2006/02/20/linux_worm/print.html *********************************************************************** Microsoft February Security Updates As necessary, Microsoft provides new security updates on the second Tuesday of each month and sends a bulletin announcing the update. There were two "critical" updates released in February: MS06-004, and MS06-005. These patch a vulnerability in Internet Explorer and Windows Media Player. There were also five "important" updates released as well: MS06-006, MS06-007, MS06-008, MS06-009 and MS06-010. These patches address various vulnerabilities in Windows Media Player, TCP/IP, Web Client Service, Korean Input Method Editor, and PowerPoint 2000. More information: http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx *********************************************************************** Security Newsbites New Hampshire Governor John Lynch said the security of the State's computer system has been breached. The attackers may have been seeking credit card account information belonging to New Hampshire residents. The security breach involved computer and in-person transactions at motor vehicle offices, state liquor stores, and other locations. People who have used credit cards for transactions with the State over the last six months are advised to scrutinize their statements for unauthorized transactions. The breach came to light when State technology experts found monitoring software installed on the system. More information: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/15/AR2006021502764_pf.html Sources are now indicating that the compromised debit cards reported earlier are related to two security breaches involving Wal-Mart and OfficeMax. Bank of America, Washington Mutual, and a credit union cancelled 200,000 customer debit cards. The FBI and the Secret Service are investigating. Neither store has commented on their connections to the data breach although Wal-Mart did point to their December 2, 2005 announcement that customer credit card security had been breached at some Sams' Club gas pumps in late September and early October. The FBI also believes that the breach may be connected to an ongoing investigation in Sacramento, CA; that case involves the cancellation of about 1,500 debit cards by the Golden 1 Credit Union. More information: http://news.com.com/2102-1029_3-6038405.html?tag=st.util.print *********************************************************************** Arrests & Convictions There were 55 suspected hackers arrested in a Brazilian Phishing scam. The gang was said to have stolen $4.6 million from approximately 200 online bank accounts by infecting Internet users' computers with spyware [Trojan horses] to steal confidential information about account numbers and passwords. The Trojan horses were sent to online banking customers via email beginning in May 2005. More information: http://www.sophos.co.uk/pressoffice/news/articles/2006/02/brphishgang.html A California man, Christopher Maxwell, 20, was indicted on Federal charges of creating a robot-like network of hijacked computers that helped him and two others bring in $100,000 for installing unwanted ad software. More information: http://www.computerworld.com/printthis/2006/0,4814,108643,00.html =========================================================================== Late-Breaking News "Mr. & Mrs. Smith" DVD Ships with Rootkit-like DRM. The German DVD release of "Mr. & Mrs. Smith" contains a DRM (digital rights management) protection scheme that uses rootkit-like cloaking technology. More information: http://www.eweek.com/article2/0,1895,1926917,00.asp "The Nyxem Email Virus: Analysis and Inferences" contains interesting facts and is worth reading. More information: http://www.caida.org/analysis/security/blackworm/ No hearty ha-ha here. Another joke virus program is going around, called: "Joke_Geschenk.A." This one is neither malicious nor funny. Upon execution, it displays a screen with the graphic of Coca-Cola on it and some text. If the "Accept" button is clicked, the user's CD-ROM drive pops open. More information: http://www.trendmicro.com.au/consumer/vinfo/jokes.php?vJoke=132 Copyright 2006, SANS Institute (www.sans.org). Editorial Board: Dave Moore, Bill Wyman, Alan Reichert, Barbara Rietveld, Alan Paller Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product.