New DNS Hijacking Trojan targeting Commonwealth Bank Customers
'Sophos' security firm bewares of a different kind of phishing threat which is targeting Australian Commonwealth bank customers, using a DNS hijacking Trojan to hack login information.
According to the researchers, the attack begins with phishing emails targeting a genuine Commonwealth Bank pattern, which contains the company's logo, copyright notice and additional identification details.
The fake email also contains the heading as "Update your Commonwealth Bank" and says that the email has been sent to inform the recipient that his/her account will be ceased within a period of 48 hours because of Account Inactivity, as reported by Sophos lab blogs on 15 September, 2010.
Also, the users are informed that particular details related with their account are needed to be confirmed, so that they can continue operating it. The purpose of the text is to spread rumours in order to scare users. Starting with "Customer ID: 000-5432-654386-PSI", the emails looks authentic and depends on the reality that maximum customers are not able to remember their personal ID number.
Again, a "Verify My Account Information" link is attached with the mail, which interestingly does not lead to any phishing website. Rather, the link directs to a certain file naming CommBank.scr, which is actual phishing Trojan.
The main purpose of this phishing scam is to steal information from customers and it accomplish this with the help of two files naming "pic.url" and "hosts" installed in the <System>\drives\etc folder.
The file "pic.url" starts a browsing session directing to the phishing page, a duplicate of the actual bank's login. The next file "hosts" overwrites the local HOSTS file, again directing the total traffic for commbank.com or commbank.com.au on the compromised computer to a certain IP address which is hosting a different phishing page. Innocent customers provide their bank details which are the stolen by the hackers.
Amusingly, the Trojan installers is also being infected with a file-infecting virus naming W32/Sality-AM (a virus called Sality), which shows that the attackers computer itself is being affected by this scam.
However, as per the security experts, the customers are needed to always keep their antivirus software updated and ask them to be alert while handling links received through mails.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 30-09-2010