Security Watch

This virus laughs all the way to the bank

HTML_CITIFRAUD.A is a non-destructive HTML virus that exploits an Internet Explorer (IE) vulnerability enabling a malicious user to spoof a website to obtain Citibank ATM/Debit card and PIN numbers, of target users. To steal critical information it redirects affected users to a website that appears to be identical to the authentic Citibank website. It prompts target users to enter their ATM card number and PIN. It runs on systems supporting the Internet Explorer environment, and is currently spreading in the wild.

The malware is embedded in a spammed e-mail that poses as an urgent notification from Citibank. The e-mail sent by a remote malicious user to target recipients contains the following:

From: Citibank

To: <target recipient>

Subject: Important Fraud Alert from Citibank

Message Body:

Dear Citibank Account Holder,

On January 10th, 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities.

Due to extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct.

Citibank notifies all of it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by in at the link below.

<Click Here to Login>

By clicking the 'Click Here to Login' button, the user is connected to a malicious website which looks identical to the genuine Citibank website, and prompts the user to provide their access codes and other credentials.

HTML viruses use scripts embedded in HTML files to do damage. These embedded scripts automatically execute, the moment the HTML page is viewed from a script-enabled browser.

Citibank has sent out alerts to its customers, not to fall for an e-mail that urges them to log on to a website to verify that their accounts have not been tampered with. The e-mail is similar to one last August when an Internet scammer threatened to close Citibank checking accounts if customers failed to divulge personal information.

Other recent fake e-mails include one from ‘Citibank Security Department’ seeking account information to help the bank upgrade its computer servers, and another from "Accounts Management" seeking credit card information so that customers might "maintain the Citibank experience."

These are examples of "phishing"--the use of spam, or junk e-mail, to lure people to bogus websites that look like those of reputable companies, and deceive them into divulging personal data. The term is derived from the act of computer thieves "fishing" for private data.

Customers receiving suspicious e-mails should notify Citibank at (www.citibank.com), where a list of known fraudulent e-mails is posted.

The new e-mail, purporting to be from Citibank, said that on January 10, the bank blocked some accounts "connected with money laundering, credit card fraud, terrorism and check fraud activity." It said the bank sent account data to government authorities, and may have changed some accounts.

"Citibank notifies all its customers in cases of high fraud or criminal activity and asks you to check your account's balances," the e-mail said. It provides a link "if you suspect or have found any fraud activity on your account."

Trojan Horse poses as Windows XP update

A new Swen worm-like Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the e-mail message may find their machines loaded with a backdoor.

Dubbed Trojan.Xombe (as in zombie), it shares some characteristics of the Swen worm family; it poses as a message from Microsoft and alleges to carry a security update in its file attachment. However, unlike Swen, a worm which first appeared last September, Trojan.Xombe doesn't self-replicate.

The false message, which sports a spoofed sending address of windowsupdate@microsoft.com, uses the subject line 'Windows XP Service Pack 1 (Express)—Critical Update' to trick recipients into opening the attached file.

"Windows Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," the message's text reads in part. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."

Trojan.Xombe downloads a backdoor IRC Trojan horse to the compromised machine. Once that's installed, attackers can access the PC undetected, add other code to the computer--such as key trackers for acquiring passwords—and use the machine to launch DoS attacks on other machines. Trojans are being integrated into almost every piece of malicious code.

Hackers today want to amass an army of compromised machines—typically called zombies—that they can use for other purposes.

The top ten hoaxes in december 2003

Position Hoax Percentage of reports 1 Hotmail hoax 21.7% 2 Meninas da Playboy 15.2% 3 A virtual card for you 5.9% 4 Bonsai kitten 5.3% 5 Press 9 5.2% 6 Budweiser frogs screensaver 4.9% 7 JDBGMGR 4.0% 8 Elf Bowling 3.4% 9 Bill Gates fortune 3.2% 10 Frog in a blender/Fish in a bowl 3.0% 11 Others 28.2% Source: Sophos

Top 10 Most Prevalent Global Malware

(From January 9, 2004 to January 15, 2004) 1. WORM_LOVGATE.G 2. PE_VALLA.A 3. PE_FUNLOVE.4099 4. PE_ELKERN.D 5. PE_SPACES.1445 6. TROJ_MAGICON.A 7. WORM_MOFEI.B 8. PE_NIMDA.A-O 9. WORM_SIRCAM.A 10. PE_PARITE.A Source: Trend Micro