By Andy McCue, 13 August 2004 15:00
NEWS Police are warning internet users about 'Trojan' emails containing links to malicious websites that can steal sensitive information such as PINs and password log-ins from vulnerable PCs.
The UK's National Hi-Tech Crime Unit (NHTCU) said the spam emails contain details of a fictitious order for web hosting or computer goods and display the cost that will supposedly be charged to their credit card.
The email also contains a link to a website to view the order in more detail but if people click on the link, it takes them to a malicious website that allows hackers to steal data from their PC.
The user is presented with a site that appears to be under construction but an exploit for a security flaw in Microsoft's Internet Explorer browser allows the criminals to plant a key-logging Trojan on an unpatched PC. The hackers can then record the victim's log-ins, passwords and PINs for online banking accounts the next time they use them.
In addition, the Trojan compromises the machine, giving the attacker full remote access, which allows them to control the computer for other purposes.
Police have traced the malicious websites to North America and China and the NHTCU is working with the banking industry to shut them down.
Users are urged to download the latest Microsoft security patches for the well-publicised flaws in IE to protect themselves against the scam.
Detective Chief Superintendent Len Hynds, Head of the NHTCU said in a statement: "The criminals behind these attacks are constantly evolving their techniques and changing tactics to target a wider range of victims. With this range of exploits being blended in one piece of code, it is not just about online banking. There is a second key-logger and a program that allows the machine to act as a mail proxy that could be used by spammers. It is the Swiss Army knife of the cyber-criminal."
Comments
There are 16 comments. Join the discussion
1. Billy the Kid
Where does it all end ! Every second of the day there's a new and more threatening virus being created.
It's scares the hell out of me to think as a P C owner connected to the internet that i could inadvertantly become another statistic.
Is there no solution to this epidemic that has now become the norm in cyberspace.
The whole internet thing has in reality some very serious flaws which MUST be addressed. Mr Bill Gates & Co will have to rewrite the script to gain complete confidence in the global community that they have now created.
VICTIMS OF THEIR OWN SUCCESS
2. anonymous
Yes, exactly, the "whole Internet thing", is so flawed as to be rapidly becoming useless. Whatever operating system or browser is used it would not stop some of the phishing scams, etc. Perhaps it will now become such a 'turn-off' for users that people will stop using it in greater numbers.
I know quite a few who have 'given up' & do not even use e-mail, let alone the very vulnerable 'Messenger' services from MSN, Yahoo, AOL, etc.
3. Nick Lansley
The Internet is unfolding and evolving the way it should just like a new country.
We are in wild-west times at present when it was easier for criminals to conduct murderous crime with impunity. But wild west times evolved into a more stable and balanced society.
Where will it all end for the Internet? Simple: with truly secure computers, uniform global laws and imprisoned criminals.
These "wild west" time are scary but they will pass. Just make sure your computer is part of the solution rather than part of the problem.
4. hcgrant
Answer .. Dont use Internet Explorer or get the security patches or even use Linux!
5. Jason Broomfield
I get more then a little fed up with all these reports blaming IE and Windows for security flaws.
Yes there are problems with Windows and IE, however Microsoft also work hard to resolve them when they are discovered.
The simple fact is that computer users should be more aware of the risks of going on-line and take more responsibility for ensuring that their PC is protected. That means using up to date Anti-Virus software, installing and configuring a Firewall, using Spam filters and installing a Spyware application to regularly sweep for trojans, spyware and adware.
What people also need to bear in mind is the Windows OS and Internet Explorer combination is used by the vast majority of the PC using population out there, which makes it an easy target for criminals, virus writers and malware authors. If Linux, Mozilla Firefox, Thunderbird, Netscape et al, had anywhere near the same level of market share they would no doubt be targetted in the same way that Windows and IE is now.
The bottom line is this, there is no magic silver bullet that will get get rid of and prevent these things from happening. The Cyber Criminal is getting smarter all the time and will always be figuring out ways to compromise our PC's.
It's up to us as users to protect ourselves as best we can and that means becoming more savvy and aware of the risks involved and taking appropriate steps to protect ourselves and our PC's.
6. anonymous
Another week, another scam. Is anyone else bored with this?
I don't know anyone or have heard of anyone that has fallen victim to a computer scam. I do know plenty of people who have been taken in by dodgy telephone offers, postal scams and cowboy builders. So how about getting this in perspective?
It seems to me that if you don't take suitable precautions you can get ripped off - my conventional or electronic means.
I sometimes wonder who these stories benefit - is it the computer press justifying having nothing better to print, or how about security vendors increasing sales by prophesing IT armageddon to boost sales?
Spam, viruses and scams are a MAJOR headache - but they don't mean the end of the world.
Just care, be vigilent and stay safe. It's not rocket science.
7. Malcolm Ripley
I'm getting fed up of excuses from the microsoft community e.g. "users should be more aware etc etc". The computer is a programmable tool which microsoft have not programmed correctly. There seems to be an ever increasing amount of flashier presentation, auto setups and sexy wizards than in actually getting the basics done correctly. Oh and if microsoft has a "security flaw" whose fault is that ? The users or microsofts ? By definition a "flaw" is the fault of the creator i.e. microsoft so I think its safe to blame them for inadequate testing ! They could even employ some of those hackers as testers.
Me? I don't have microsoft at home (nor linux nor mac-os) but I do have virus free internet access and a spam free email.
There is a magic silver bullet to preventing spam/viruses etc in emails which would require a simple minor change to peoples email readers. Sorry can't divulge yet due to the progress of my patent. However, I can say it's unbelievably simple.
8. Jason Broomfield
I'm not making excuses for Microsoft, they have recognised that they have had a less then illustrious record in the past over the security of their Operating Systems and Applications.
Windows XP Service Pack 2 and Service Pack 1 for Office 2003 go some way to fixing a large number of known flaws though.
Just for the record as well I'm not Pro-Microsoft, I've installed and run Linux (from various distros) over the past 10 years. The problem is that Linux is used infrequently by Businesses for a number of reasons.
Love it or loathe it Windows as an Operating System is easier for users to use and work with everyday. It's easier for IT Support teams and Administrators to work with and the applications just install and work with no re-compiling of source code or manual configuration required.
This level of usability is what has got Microsoft where it is now and why Microsoft Windows and Microsoft software in general have such a large share of the market.
Don't be fooled by this though, do you seriously think there would be less spam, virii and malware in existence now if Linux and Open Source Office applications were more prevalent? Of course not, the army of virus writers out there will always focus on the platform that has the largest reach for them, at the moment it happens to be Microsoft softwarem, in ten years time this may shift as buying patterns change.
The one thing you can count on though is that criminals will always find a way to make an easy buck. Blaming Microsoft for all of the worlds ills isn't the answer. Wising up to the possibilities and risks of being on-line and protecting yourself against them is.
This fact holds true irrespective of whether you run Microsoft Windows, Linux or MacOS X etc.
9. Ian Savell
The characteristics that have made the Internet take off are that it is simple, useful and largely free. Can any complainers come up with any similar example of something that DOESN'T encourage criminal activity? Use it or abuse it but don't expect anyone to do much about it.
10. blogger
oh yes if you keep using a browser that is not updated in 2 years, you deserve viruses and trojans. use firefox! there are bugs of course but they get fixed in one day, bugs in IE get fixed in 4 weeks... do you note a difference?
11. Ravilyn Sanders
Well Jason Broomfield, Apache web server has 67% market share compared to 21% of MS IIS. Every PC shipped till Dec 2003 had Java installed on it by court order. There are no security holes in Apache or Java. How come? Microsoft is responsible for writing such bad code. You cant blame the thieves if you leave the home unlocked.
12. raiph
Jason, I find your posts misleading.
You note that "If Linux, Mozilla Firefox, Thunderbird, Netscape et al, had anywhere near the same level of market share they would no doubt be targetted in the same way that Windows and IE is now."
Well of course. But so what? That doesn't imply they would be anything like as insecure as the Microsoft equivalents. An example would be Apache; it has three times the marketshare that IIS has, so it is no doubt mercilessly targetted. But which has all the vulnerabilities and actual exploits? IIS, by a truly dramatic ratio.
Yes you *are* making excuses for Microsoft. True, they have recognised that they have had a less than illustrious record in the past over the security of their Operating Systems and Applications. Indeed, I think they've totally gotten it; in their Trustworthy Computing initiative, Security by Design is a key pillar. Better yet, Bill Gates explicitly stated 2 years ago that .NET is the only thing that enables them to achieve Security by Design. But guess what? Internet Explorer was designed *before* .NET came along, and until June they had disbanded almost the entire IE team!
So, yes, Windows XP Service Pack 2 and Service Pack 1 for Office 2003 go some way to fixing a large number of known flaws, but no, that is not remotely near enough. (Tony Chor's claim of IE now being the most secure browser because it stops all known critical exploits is as much pitifully laughable as it is breathtaking bravado.)
Yes, a problem with Linux is that it is used infrequently by Businesses for a number of reasons. No, that has nothing to do with much of anything, but especially Firefox.
"do you seriously think there would be less spam, virii and malware in existence now if Linux and Open Source Office applications were more prevalent?"
Not necessarily, but probably. Note that it's not directly a function of "open source" ness. It's to do with the approach to the tradeoff between security, functionality, and up-front effort. But there has been a good correlation in the past between those systems that demonstrate good judgement related to that tradeoff and open source.
"The one thing you can count on though is that criminals will always find a way to make an easy buck."
Right. As noted in Netscape security documents from 10 years ago. And relatively absent from Microsoft thinking about security until just a few years ago.
"Blaming Microsoft for all of the worlds ills isn't the answer."
No, but installing Firefox is a good start for most, and switching to Mac OSX, Linux, FreeBSD, or Solaris, may be even better for some.
13. Allan
Will banks indemnify customers against such account-emptying attacks by these criminals? It appears that they do currently provide some degree of protection for false credit card transactions. I shall TOTALLY lose faith in on-line banking unless financial institutions offer on-line transaction service guarantees. Anybody in any position of authority in a bank 'out there' care to answer this one?
14. Allan
"Inept for business; great superlibrary." Internet's epitaph.
15. Vote of No Confidence
'Wild Bill' Gates is THE problem. I really do admire Nick's faith in human nature, but as long as Wild Bill Gates releases software with security holes the size of double-decker buses, then we will NEVER have 'truly secure computers' and in several million years in the history of Mankind we still don't have 'uniform global laws' (not much agreement even in the UN or EU), and when the politically correct liberal judges let the crims go free and governments tout for votes with cheaper (read 'strangled') low-head-coutn police forces and let terrorists take up residence here with impunity, the Internet is doomed for good.
16. Dave
I was just reading this and it worries me a little, I've just bought an ex-shop display pc with XP on it, I was under the impression that this would be more secure than my old Win'95 one - is this not the case ?
Can I download all these 'patches' from the MS site and will they help ?
Has XP got an in-built firewall I can activate - hope sombody can help !!!
I'm too scared to switch it on now !!!