Download.Ject Detection and Recovery -- New Phishing Attack Technique
Download.Ject Detection and Recovery
Microsoft released more information on their website relating to detecting and recovering from the compromises related to the berbew/scob worm that has been going around in the past week. The web page for more information is
http://support.microsoft.com/?kbid=871277 .
Updated 6/27: If you are absolutely positive that your IIS Server was patched yet was still hit with the recent Download.Ject issues of the past several days, please let the Internet Storm Center know or contact Microsoft Product Support Services at 1-866-PCSafety. There has been reports out of Microsoft (on the patchmanagement mailing list) that all of the infected computers were not patched, or rebooted before the outbreak. If there were cases that were infected and were patched, MS needs to hear about it as that may represent a need to fix the patch itself.
New Phishing Attack Technique
Over the last many users on my campus have received a new style of phishing emails. The email purports to be from a major national bank group, and attempts to hook the end user into confirming your data with this bank. There were a couple of things that make this attack different.
First, the entirety of the body message was an image file. This in and of itself is not unusual as this technique has been used by spammers to evade lexical analysis in mail server filters. In the phishing arena this may not be unusual as this does lend itself to maintaining a consistent look and feel of the email no matter what graphical mail browser the end user may be using which is necessary to maintain the illusion of the email being valid.
The new technique noticed is the use of image map html code. If the end user is using a complaint browser and attempts to click on the image near the URL text, then the user is taken to an obfuscated URL of the hackers choosing and will eventually be asked for all the private information as normal. If the end user is not using a browser that supports image maps, then the user is taken to a login page for the national bank on one of their many servers. Once the end user is on the hackers site, there appears to be some low level web browser detection and will either kick the user to the national bank website, or attempt to play games with the browser to maintain the illusion that you are on the true website.
Using the image map technique appears to be a new trick, and using some sophistication of other techniques, this may make it extremely hard for end users to know the difference between real email from their respective banks and the hackers. Continue to recommend that end users not click on these URLs in bank or other "secure" sites but instead directly enter the main URL for the company in question, or contact the company through the regular customer service phone number.
---
Scott Fendley
ISC Handler on Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago