April 19, 2005 by unknown attackers was a mass mailing of fake letters supposedly sent to the department to provide customer support Privatbank. Newsletter produced by arbitrary email addresses.
This letter is generated using specialized software to send spam (to determine exactly what it is not possible).Judging by the code of the message, its mass mailing was April 19, at about 04.40 am, the server / server through 195.190.99.162 .
Fortunately, the code contains an error message, which resulted in the recipients of this letter can be seen instead of formatted text "broken" , with a lot of "trash", which is invalid HTML-code the message body.Therefore, it is natural desire to simply delete the message without having to worry about trying to read the text contained therein. However, it does not exclude the likelihood that attackers can correct the error, then try to implement the re-sending the message.
The letter has the following characteristic features:
The address "sender" indicates service@privatbank.com.ua .
In the original (if you fix the bug in the code of the message) The text of the letter is as follows:
If the letter gets to the client trusting Privatbank and he (the client) is indicated in the text message link, the first is call forwarding on the URL http://www.anvoxhk.com/CAB-pages/1007-1.htm , and then a page "simulator" Privat, located at http://animalswithus.net This domain is registered with the server "http://www.melbourneit.com "April 11, 2005. This fake page is as follows:
Also, an additional page (to convince the user to authenticate your site?)
An interesting fact is that the attackers apparently used the original interface page Privatbank, but copied at the end of January 2005, as evidenced by the date of exchange rates and news items shown on the page.
When you enter your customer Privat confidential data - username and password in the appropriate fields on the page to check the status of cash accounts (here, by the way, you can enter any data and, in spite of this, they will be adopted, which is additional proof of fraud site), there is a call page located athttp://animalswithus.net/proceed.php and containing "banking" form to enter sensitive customer data:
All entered in the appropriate boxes on the form data become the property of criminals after the user presses the panel " Enable ". In this case the call is redirected to address http://animalswithus.net/success.php , but the screen is given a false report about the "user authentication error":
Thus, attackers gain complete access to the victim's bank account.
Developer description: Broido Herman (aka VirusHunter)
Date Created: 21.04.2005
Date of last change: 21.04.2005
Credits: Avramenko, Alex (aka Swat2) for information support to
the description Author: Broido Herman (aka VirusHunter)
No comments:
Post a Comment