Hackers grab bank details with fake ad

Sposs

URPOSE
The purpose of this advisory is to bring attention to Hackers who have found a new method of stealing bank details from home computers.

ASSESSMENT
Img1big.gif is a file containing a Trojan named pwsteal.refest. It attempts to secretly install itself on the computer and steel confidential information.

A virus uncovered last week was hidden inside so-called "pop-up" advertisements that appeared on screen without warning, experts have warned. Clicking on the "close" button to get rid of the advert triggered the virus to attempt to secretly install itself on the computer. The bug was programmed to wait until the user began logging on to their internet bank account where it tried to steal personal details, such as passwords, before the information reached the bank. When Internet Explorer makes an HTTP POST request to one of these domains (for example, when the user submits a web form at a bank site), the Trojan also sends the information to a cgi script at www.refestltd.com.

The new Trojan was aimed at customers of nearly 50 banks around the world
including:

* .anz.com
* .bendigobank.com.au
* .citibank.com
* .citibank.de
* .commbank.com.au
* .dab-bank.com
* .deutsche-bank.de
* .e-gold.com
* .hsbc.com.au
* .hsbc.com.hk
* .online-banking.standardchartered.com.hk
* .sparkasse-banking.de
* .stgeorge.com.au
* banking.lbbw.de
* banking.mashreqbank.com
* banknetpower.net
* barclays.co.uk
* cd.citibank.co.ae
* cibconline.cibc.com
* citibank.com.au
* dit-online.de
* easyweb.tdcanadatrust.com
* ebank.uae.hsbc.com
* ekocbank.kocbank.com.tr
* hercules.pamukbank.com.tr
* internetsube.akbank.com.tr
* lloydstsb.co.uk
* national.com.au
* nbd.ae
* online-banking.standardchartered.ae
* online.nbad.com
* pbg1.edc.citiaccess.com
* standardchartered.com
* suncorpmetway.com.au
* westpac.com.au
* www.alahlionline.com
* www.almubasher.com.sa
* www.arabi-online.com
* www.cbdonline.ae
* www.citibank.com.hk
* www.dahsing.com
* www.ebank.iba.com.hk
* www.privatebank.citibank.com.sg
* www.sabbnet.com
* www.samba.com
* www.scotiaonline.scotiabank.com
* www.unb.com
* www1.bmo.com
* www1.royalbank.com

SUGGESTED ACTION
PSEPC recommends that you ensure your anti-virus detection software definitions are current.

Additional information about this worm is available at the following links:
http://reg.smh.com.au/splash.do?site=SMH&server=http:%2f%2fwww.smh.com.au&retn=%2farticles%2f2004%2f07%2f05%2f1088879407085.html
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.refest.html

Mac daddy

Sneaky bastard*s

aidan_walsh

Well, thank God for firewalls, virus scanners, Firefox and knowing what the hell I'm doing...

briano

I see from the symantec site that it is a IE only problem. Which makes me wonder why don't the banks, when sending out the mountains of crap that they send out every month advertising their online services, put in a CD with an alternate browser? say "Free Demonstration CD", pop it in, have autorun.inf display a little message saying "your browser may not be secure, would you like to install <insert-particular-flavour-of-browser-here>?"


<rant>
Its this sort of thing that drives me nuts: Little pop-up boxes appearing on websites saying "your browser is not optimised to view this webpage, please install IE" Why not turn it around and put it on websites that are subject to these schemes (BHO, phishing, everything after special chars not being displayed in the address bar) and have a little redirect saying "I see you are using IE, please visit one of these sites and upgrade your browser"
</rant>

I mean, I know it'll never happen, but damn it would be nice

leeroybrown

If the banks started advocating the use of an alternate browser most of them would probably have to partially re-write their eBanking applications to get them to work 100% reliably with browsers other than IE.

briano

If the banks started advocating the use of an alternate browser most of them would probably have to partially re-write their eBanking applications to get them to work 100% reliably with browsers other than IE.

That would have to be the worst excuse I could think of. I mean, how much does your average e-banking site cost to implement? tens of thousands?, Hundreds?, Millions? For that sort of money I'd expect them to not only work with whichever browser I used, but to be able to be as secure as humanly possible. If that means only one type of browser is 100% reliable, it better not be the one with the worst track record for security.

aidan_walsh

Originally posted by briano
That would have to be the worst excuse I could think of.

Hows this for a better one?

Its not their job to offer you alternate browsers. Thats up to the individual themselves to source a new browser if they are unhappy with the one they have.

Frankly, if anyone with any bit of knowledge is stupid enough to use IE in this day and age after all the warnings, and especially without a pop-up blocker of some shape or form, then its their own problem.

Unfortunatly, information regarding IE's problems often doesn't reach the common dolt, sorry, user in manner they can understand, or they can't be bothered doing anything about it when they do hear of it...

In summery, expecting the bank to supply you with common sense is stupid.

Mac daddy

Originally posted by doodle_sketch
Hows this for a better one?

Its not their job to offer you alternate browsers. Thats up to the individual themselves to source a new browser if they are unhappy with the one they have.

Frankly, if anyone with any bit of knowledge is stupid enough to use IE in this day and age after all the warnings, and especially without a pop-up blocker of some shape or form, then its their own problem....

In summery, expecting the bank to supply you with common sense is stupid.

That is why i converted to Opera in work and Mozilla at home:p

briano

In summery, expecting the bank to supply you with common sense is stupid.

What, like posting notices out saying "Don't store your pin with your bank card"? You mean that sort of common sense?

Frankly, if anyone with any bit of knowledge is stupid enough to use IE in this day and age after all the warnings, and especially without a pop-up blocker of some shape or form, then its their own problem.

What Warnings? We (nerds) see them, but average joe luser doesn't. At most there is a bit on the news about the latest virus.

The banks on the otherhand do know about these threats, because thats their job (to safeguard other people's money). It annoys me that they don't make the effort to warn their customers who might know nothing about computers, and not understand that they could mitigate the threat from assorted malware just by changing browser.

Brian (running opera under linux. Take that pwsteal.refest)

damnyanks

IE was targetted for the obvious reason that it is used by the vast majority of net users. The banks can send out CD's with firefox, mozilla or whatever. It wont stop these people they will just write virus's to exploit more then 1 browser.