Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Such scams have multiplied in recent months, with many taking advantage of a bug in Internet Explorer that made it easier for fraudsters to simulate the URLs of target financial institution.
Microsoft issued a patch to repair that problem on Feb. 2. Visual spoofing does not rely on the URL spoofing, relying instead on the fake images to accomplish the deceipt.
"The leak will do some damage to the security of Windows machines, but it's not clear how much," said Ed Felten of Princeton University, a security researcher who has reviewed Windows source code and was an expert witness in the antitrust case against Microsoft. "There's a longstanding debate about the security implications of open source development. Source code access makes it easier to find security bugs. With open source, you make it easier for honest outsiders to find bugs, which is good, but you also make it easier for malicious outsiders to find bugs, which is bad.
"This kind of leak give us the worst of both worlds: honest outsiders will avoid looking at the stolen code, while malicious outsiders use the code; so you get the security drawbacks of open source without the security benefits," Felten added. "This will only matter, though, if the bad guys would otherwise have trouble finding bugs, which may not be the case."
According to eEye, the vulnerabilities include a remote exploit that could allow attackers to gain system privileges, and a denial of service strategy that could "total system failure." Both vulnerabilities were reported Sept. 10, and affect default installations of Windows in use on more than 300 million computers, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. eEye reported an additional high-risk remote exploit on Oct. 8.
The new worm, DoomJuice.B, sets random HTTP headers to make it more difficult to filter the attack traffic, seeking to work around a defensive measure used by Microsoft earlier this week, when www.microsoft.com dropped requests without User-Agent headers to differentiate between Web browsers and the DDoS attack agents. The DoomJuice.B DDoS also initiates twice as many requests as its predecessor, launching 32-192 parallel threads instead of the 16-96 of DoomJuice.A.
The latest IE update disallows the use of the "@" character in URLs, addressing a snafu which has helped phishing scammers to disguise the Internet address of a fake Web site. Once the update is installed, including the @ symbol in urls will return an "invalid syntax error" message. Internet scammers have been using @ signs in urls to trick bank customers into revealing their account details.
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.
My husband was called on Wednesday by "VISA" and I was called on Thursday by "MasterCard". It worked like this:
Person calling says, "This is Carl Patterson (any name) and I'm calling from the Security and Fraud department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card. Did you purchase an Anti-Telemarketing Device / any expensive item for £497.99 from a marketing company based in 'Anywhere'?"
Posted by Netcraft Admin in Security
Your link here? Advertising on the Netcraft Blog