Phishing moves into more new areas

Posted by   Virus Bulletin on   May 9, 2007

Surveys, phone lines, USB sticks and call girls the latest tactics for spammers and phishers.

The latest social-engineering methods being put to use by phishers show no let up in the evolution of online scams, with several new twists on old ideas being sent via mass mail in the hopes of hooking yet more gullible victims.

Banks and financial institutions are among the biggest targets for phishing, with online banking login details becoming as useful as credit card details. has released details of a new scam targeting Bank of America customers, which attempts to persuade recipients of the messages to redirect their phones to a suspect number in an attempt to bypass customer identification processes. As usual, the spam appears to originate from the bank, using spoofed header information, and claims that a brief redirection is required to 'confirm contact details'. Information on the scam, with screenshots, is here.

Another scam, targeting a credit union this time, poses as a survey of customer opinion, offering a reward for those who take the survey. Of course, to obtain the $25 account credit offered, full details of an account are required, including full card data and PIN numbers. The survey site has since been taken down, and the affected credit union, Keypoint, has issued an alert on its website, reminding customers that such detailed information is never demanded in online communications and offering a contact number for anyone who suspects they may have been phished.

Sophos has released details of a spam campaign promising easy access to prostitutes, using an embedded image in an attempt to bypass spam detection. The highly explicit graphic includes the address of a site offering a search system for prostitutes by locale but, as usual with image spam, requires the recipient to copy the URL into a browser by hand. The spam and associated site are thought to be offensive rather than malicious, with no malcode found on the site. More info on the campaign is here.

Sophos has also recently discussed a worm targeting USB sticks. The worm, an update of an old proof-of-concept aimed at infecting floppy disks, installs itself to the root of removal memory devices along with an autorun file designed to activate the infection whenever the stick is inserted into a new machine. The attack reminds security admins of the dangers of USB devices, which according to some reports have been left in car parks outside banks and large companies in the hopes that an employee may unwittingly infect their corporate network and allow the malware creators remote access.

Symantec, meanwhile, has alerted on the latest in a string of attacks posing as means of obtaining full versions of Windows. While many spammed trojan campaigns in the past have masqueraded as illicit download copies of Windows Vista, the latest is disguised as a request for full activation direct from Microsoft, and requires credit card details to complete the activation process. Details of the 'Kardphisher' trojan are here.

'These latest examples of the ingenuity of phishers are part of an ever-evolving landscape of threats,' said John Hawes, Technical Consultant at Virus Bulletin. 'The increase in the use of social engineering can be taken as a sign that security software is proving ever more effective at blocking attacks, and that criminals are having to focus their attentions on the weakest link, the user. Hopefully as general awareness of the dangers out there improves, fewer people will fall for these scams and the vast profits being made from them will start to dwindle.'

Several papers on user education will feature at the Virus Bulletin conference, being held in Vienna from 19-21 September. Andrew Lee of ESET and researcher David Harley will present Phish phodder: is user education helping or hindering?, while Jeannette Jarvis of Microsoft will discuss Transforming victims into cyber-border guards: education as a defence strategy. Details of how to register for the conference are here. A discounted rate is available for subscribers to VB, who also have access to the full content of the site - subscription information is here.

Posted on 09 May 2007 by Virus Bulletin



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.