Phishing without bait

Internet Crime is now big business. The latest from ZDnet


Skilled identity thieves can pilfer user names, passwords and other sensitive data for banking sites without using e-mail lures and other other social engineering tactics.

According to a security advisory from Trusteer, hackers can launch what is described as “in-session phishing attacks” using pop-up messages during an active browser session. The attack technique is somewhat sophisticated — it requires that a base Web site is compromised and the attacker must know which Web site the victim user is currently logged into — in-session phishing can be highly effective because the average end user is likely to enter credentials without a second thought.

Here’s how it works:

A user logs onto their online banking application. Leaving this browser window open, the user then navigates to other Web sites.

A short time later a pop-up box appears, allegedly from the banking website, requesting the user re-type their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc.

Since the user had recently logged onto the banking website, he/she will likely not suspect this pop-up is fraudulent and thus provide the requested details.

To mount a successful in-session phishing attack, a base Web site must be compromised (check!), the malware injected onto the hijacked Web site must be able to identify the site the user is logged into (not trivial but very possible).

The rest is here: http://blogs.zdnet.com/security/?p=2390&tag=nl.e550

W32/Conficker.worm

A recently conducted experiment by F-Secure estimates that approximately 3.5 million hosts have been infected with W32/Conficker.worm also known as W32.Downadup spreading through the now patched MS08-067 as of November, 2008. Basically, F-Secure’s experiment took advantage of the very same domain registration algorithm that the cybercriminals were using in order to temporarily redirect some of the infected hosts and in the meantime count the number of infected hosts.

With several new Conficker variants released since the original November campaign, the worm’s authors seem to be diversifying the propagation vectors in order to increase the worm’s lifecycle.
The latest propagation tactics include USB spreading, network shares spreading, and according to McAfee, the latest samples that they’ve analyzed are attempting to exploit only English language OS versions thanks to an OS fingerprinting feature within a Metasploit exploit used by the worm’s authors.

http://blogs.zdnet.com/security/?p=2388

For more on worms see: Infestation: Worms are crawling everywhere

http://news.zdnet.com/2100-9595_22-115026.html?tag=btxcsim