"This is one of the most sophisticated phishing attacks that we have yet detected," said Dave Jevans, chairman of the Anti-Phishing Working Group (APWG). "Because the fake Address bar remains installed even after you leave the phisher's site, there is a possibility that a phisher could use this technique to secretly track every web site that you visit."
The new technique targets Citibank, commencing with e-mails bearing the subject "Verify your E-mail with Citibank." The IP address for the spoofed page (http://220.127.116.11) is part of a block of addresses assigned to The Planet, a large hosting provider in Dallas, and was still active as of yesterday.
The report by the Cooperative Association for Internet Data Analysis (CAIDA) says Witty broke new ground by simultaneously infecting dozens of machines maintained by security-savvy users, and targeting a very recent vulnerability. Witty's spread was limited primarily by its destructive nature and the small installed base of the ISS products it exploited, CAIDA noted, positing that similar tactics could be repeated using huge "botnets" of compromised boxes targeting Windows machines.
The worm, which appeared overnight Friday, exploits a weakness in the widely-used Black Ice security products, and is not detected by antivirus software, as it resides in memory. When an infected system is rebooted, Witty deletes a randomly chosen section of the hard drive, rendering some machines unusable.
The Internet Storm Center raised its incident alert level to yellow, and advised that vulnerable systems be taken off the network. "Disconnect systems running BlackIce as soon as possible," said the advisory at the ISC, run by the SANS Institute. Symantec also advised that network admins disconnect machines running Black Ice.
The DDoS component of MyDoom.F also targets www.microsoft.com, which has experienced no significant problems. Antivirus vendors say MyDoom.F has been found on as many as 45,000 machines. A dynamically updating graph of the sites targeted for DDoS by various MyDoom variants is available here.
OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is used in security products from numerous vendors. Cisco has already released an advisory for customers, while Oracle and Symantec say none of their OpenSSL-based products are affected. OpenSSL is also used in products from IBM, FreeBSD, Red Hat, SUSE and others. The advisory from UK's National Infrastructure Security Co-ordination Centre (NISCC) includes an updated list of vendor responses.
The scam employs e-mails with subject lines reading "Official information" or "Urgent information to all credit card holders," and asserts that a new law requires Internet users to identify themselves to the government to "create a secure and safer Internet community." The e-mail links to a Web site masquerading as regulations.gov and asks readers to provide personal financial information.
Your link here? Advertising on the Netcraft Blog