Phishing Scam Installs Keylogger Via Web Page

In a sign of the growing diversity of phishing scams, a new e-mail combines social engineering tricks and HTML coding to defraud victims using a keylogging program that attempts to capture banking usernames and passwords.

The latest scam, documented at Codefish Spamwatch, operates via an email with the subject "Police investigation."

Hello...
It has come to my attention that you are being under the police investigation.
Is that true? Have you really commited such crimes?
Please read the following article located at:

http://federalpolice.com:article872@1075686747

or at:

http://0100.035.0255.0133

Sincerely,
Your old friend

The URLs are obscured, and actually point to http://64.29.173.91, an IP address at the Atlanta ISP Abraxis.net. Concerned e-mail recipients who follow the link encounter the message "SERVER ERROR 550" - which is actually not a server error at all, but an HTML document containing unseen background code that attempts to download a Trojan written in Java.

If successful, the trojan installs a keylogger program, which monitors the victim's system for a browser window bearing the title of any of a lengthy list of financial institution names, including:

Westpac
Commonwealth
NetBank
Citibank
Bank of America
PayPal
Bank West
CIBC
Scotia Bank
Bank of Montreal
Royal Bank
TD Waterhouse
Wells Fargo
Bank One
SunTrust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase

When a window is opened that matches one of these titles, the trojan starts recording key strokes, stores them to a text file, and uses a built-in email system to send the contents to pentasatan@mail.ru. Port scans of the server being used suggest a compromised Windows box remotely controlled using the Netbus trojan, which appears to connect to an FTP server referring to "Megacrew."

This campaign's combination of social engineering, URL spoofing, a fake web page and auto-downloading trojan illustrates the growing sophistication of phishing attacks. Much like viruses and worms, phishers are now constructing "blended threats" that layer one deception upon another in an effort to trick Internet users into revealing bank account information.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.