Phishing Scam Installs Keylogger Via Web Page

In a sign of the growing diversity of phishing scams, a new e-mail combines social engineering tricks and HTML coding to defraud victims using a keylogging program that attempts to capture banking usernames and passwords.

The latest scam, documented at Codefish Spamwatch, operates via an email with the subject "Police investigation."

It has come to my attention that you are being under the police investigation.
Is that true? Have you really commited such crimes?
Please read the following article located at:
or at:
Your old friend

The URLs are obscured, and actually point to, an IP address at the Atlanta ISP Concerned e-mail recipients who follow the link encounter the message "SERVER ERROR 550" - which is actually not a server error at all, but an HTML document containing unseen background code that attempts to download a Trojan written in Java.

If successful, the trojan installs a keylogger program, which monitors the victim's system for a browser window bearing the title of any of a lengthy list of financial institution names, including:

Bank of America
Bank West
Scotia Bank
Bank of Montreal
Royal Bank
TD Waterhouse
Wells Fargo
Bank One
Discover Card
Washington Mutual

When a window is opened that matches one of these titles, the trojan starts recording key strokes, stores them to a text file, and uses a built-in email system to send the contents to Port scans of the server being used suggest a compromised Windows box remotely controlled using the Netbus trojan, which appears to connect to an FTP server referring to "Megacrew."

This campaign's combination of social engineering, URL spoofing, a fake web page and auto-downloading trojan illustrates the growing sophistication of phishing attacks. Much like viruses and worms, phishers are now constructing "blended threats" that layer one deception upon another in an effort to trick Internet users into revealing bank account information.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.