Pinpointing Zombies

Wednesday, February 21, 2007

Account holders with at least two Australian banks have become victims of a phishing scam in which malicious code reveals the physical location of affected IP addresses using Google Maps.  Bank account holders in Germany and the United States have also been targeted.  The software installs a trojan capable of keylogging user activity, hijacking infected computers.  The scam was circulated as a false news report claiming the Australian prime minister had suffered a heart attack.  It installs a trojan and backdoor code to capture all user input as well as compromising a Web server to allow the hacker to hijack the victim’s computer.  The hacker is then provided with details on the number of infected machines in each country, while the Google Maps server is used to translate IP information to pinpoint the machines’ physical location.  Websense Australia and New Zealand country manager Joel Camissar believe hackers could potentially use Google Maps to assist in identity theft.  “The hackers could correlate user information acquired from the keylogger with knowledge of where a user is located from Google Maps to masquerade as them,” Camissar said.  “With this they could access bank accounts and Social Security numbers.”  Camissar said there are about 750 infected desktops in Australia. 

Westpac and the Commonwealth Bank were among those specifically targeted in Australia, while Bank of America and Germany’s Deutsche Bank were also attacked.  Westpac and the Commonwealth Bank were unavailable to comment at the time of publication.  Sophos senior technology consultant Graham Cluley said users are directed to a 404 error page, which downloads the code.  “Recipients of the e-mail are encouraged to click on a link to obtain the latest information on Howard’s health; however, this link takes users to a webpage which downloads malicious code to their PC, and then displays the real ‘404 page not found’ error page,” Cluley said.  “The scammers have registered several domain names that appear to be associated with a newspaper, and have gone to great effort to make people think that they really are visiting the genuine site by pointing to a real error page,” he said…..

Reference : http://www2.csoonline.com/blog_view.html?CID=28915

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: