Resources > Blog > Phishing Scam Installs Keylogger Via Web Page
Rich Miller

Phishing Scam Installs Keylogger Via Web Page

Hello...
It has come to my attention that you are being under the police investigation.
Is that true? Have you really commited such crimes?
Please read the following article located at:
http://federalpolice.com:article872@1075686747
or at:
http://0100.035.0255.0133
Sincerely,
Your old friend

The URLs are obscured, and actually point to http://64.29.173.91, an IP address at the Atlanta ISP Abraxis.net. Concerned e-mail recipients who follow the link encounter the message “SERVER ERROR 550” – which is actually not a server error at all, but an HTML document containing unseen background code that attempts to download a Trojan written in Java.

If successful, the trojan installs a keylogger program, which monitors the victim’s system for a browser window bearing the title of any of a lengthy list of financial institution names, including:

 Westpac Commonwealth NetBank Citibank Bank of America PayPal Bank West CIBC Scotia Bank Bank of Montreal Royal Bank TD Waterhouse Wells Fargo Bank One SunTrust Discover Card Washington Mutual Wachovia desjardins Chase

When a window is opened that matches one of these titles, the trojan starts recording key strokes, stores them to a text file, and uses a built-in email system to send the contents to pentasatan@mail.ru. Port scans of the server being used suggest a compromised Windows box remotely controlled using the Netbus trojan, which appears to connect to an FTP server referring to “Megacrew.”

This campaign’s combination of social engineering, URL spoofing, a fake web page and auto-downloading trojan illustrates the growing sophistication of phishing attacks. Much like viruses and worms, phishers are now constructing “blended threats” that layer one deception upon another in an effort to trick Internet users into revealing bank account information.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.