[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 570/04 - AL-2004.032 - "Postcard" and "tvshop" Fraudulent E-mails and



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 570/04 dated 15.10.04  Time: 14:40  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

AL-2004.032 - "Postcard" and "tvshop" Fraudulent E-mails and 
Malicious Web Sites

Detail
====== 

AusCERT has become aware of several fraudulent e-mails, one with the subject
of "A Thinking Of You Card for you" and one referencing "www.tvshop.com.au"
circulating in Australia and overseas, which are used to entice the reader to 
visit malicious web sites.  These web sites contain executable Java code and
Internet Explorer exploits which, if successfully executed, will install a 
trojan program which in turn captures keystrokes when the user visits
particular banking related web sites.  They may also install programs which
allow malicious users to take control of an infected PC.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2004.032 -- AUSCERT ALERT
    "Postcard" and "tvshop" Fraudulent E-mails and Malicious Web Sites
                              15 October 2004

===========================================================================

- - --------------------------BEGIN INCLUDED TEXT--------------------

Overview:

  AusCERT has become aware of several fraudulent e-mails, one with the subject
  of "A Thinking Of You Card for you" and one referencing "www.tvshop.com.au"
  circulating in Australia and overseas, which are used to entice the reader to 
  visit malicious web sites.  These web sites contain executable Java code and
  Internet Explorer exploits which, if successfully executed, will install a 
  trojan program which in turn captures keystrokes when the user visits
  particular banking related web sites.  They may also install programs which
  allow malicious users to take control of an infected PC.

Vulnerability:

  The malicious web sites that are linked in the emails attempt to exploit
  multiple vulnerabilities.

  The first attempted exploit uses the Microsoft Virtual Machine (VM) [1], for
  which Microsoft released a patch on April 9, 2003 with security bulletin 
  MS03-011 [2].

  The second attempted exploit uses the JS.Dragdrop vulnerability [3] to 
  install files on to the user's machine.  This was corrected on October 12,
  2004 in Microsoft's Cumulative Security Update for Internet Explorer,
  MS04-038 [4].

  The third attempted exploit uses an vulnerability in the Windows help system 
  (.chm files) to run arbitrary code.  Microsoft Security Bulletin MS02-055 [5] 
  addresses this issue and has patching details.

Mitigation:

  Installation of the patches mentioned in Microsoft security bulletin
  MS03-011 [2], MS04-038 [4] and MS02-055 [5] will protect a computer against
  all three of the above mentioned vulnerabilities.  Additionally, all major 
  anti-virus updates prior to September 2003 have contained signatures for the
  Microsoft Virtual Machine exploit [6].

  All exploits also require user interaction - deleting these emails as they
  arrive and not clicking on any links they contain is a safe mitigation
  strategy.

Exploit Details:

  "Postcard" email
  ----------------

  The "Postcard" email circulating is similar to:

  ---- start postcard email ----

  Subject: A Thinking Of You Card for you

  A Digital Postcards(R) Greeting from John Korhonen waiting for you at POSTCARDS.COM!

  If you have a modern e-mail program, you can go directly to your card by clicking: 

  http://Postcard.com/pickup/DP_416b029023245c15 
       
  *PLEASE* make sure your mail program has not cut the CardID # into 2 lines!! If it has,
  you need to use the Old-Fashioned method below.

  You can pick-up your postcard the old-fashioned way, by going to the following URL:

  http://postcard.com/cards/pickup.html
     
  and entering your postcard ID number:   DP_416b029023245c15 

  If postcard is not picked up within two weeks, it may be removed.

  Thank you!
  This is a free service of Digital Postcard(R)

  ---- end postcard email ----

  The subject line may also be 'You have new postcard!' or similar.

  When any of the links in the email are clicked, they go to a different Internet
  address to the ones listed, which include the following malicious websites:

  202.67.159.110:5180
  202.69.170.226:6180
  katerjake.net
  mercylane.com
  jubileereligiousgifts.com
  powerfoundation.org


  "tvshop" email
  --------------

  The "tvshop" email circulating is similar to:

  ---- start tvshop email ----
  Subject: <variable>


  ON-LINE ORDER CONFIRMATION
  Account Number: <variable>
  password: ******
  Order Number: <variable>
  Order Total: $4,490.50
  Thank you for ordering from stampcar.com, below is your order detail.
  Your order is currently being reviewed and processed. We will send you an
  e-mail confirming shipment and providing pertinent shipping information as
  soon as your order ships.
  The Following item(s) are included with this order:
  ****************
  Item : PANASONIC - TH42PHD6UY 42-IN HDTV PLASMA
  DISPLAY
  Product Code : <variable>
  Price : $4,135.00
  Quantity : 1
  Price : $4,135.00
  Subtotal $4,135.00 Shipping $355.50
  Grand Total $4,490.50
  ****************
  You can track the status of your order anytime you like (24/7) online by
  going to our website www.tvshop.com.au/order.htm and logging into your account.
  It was a pleasure to serve you and we hope you visit us again soon. If you
  have any questions, please contact us.
  Sincerely,
  Sales Department
  At tvsop

  ---- end tvshop email ----

  Clicking on the www.tvshop.com.au link actually takes you to one of a number
  malicious websites which will run the Windows help system exploit.


References

  [1] - http://www.microsoft.com/mscorp/java/
  [2] - http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx
  [3] - http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=7065
  [4] - http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  [5] - http://www.microsoft.com/technet/security/bulletin/MS02-055.mspx
  [6] - http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
      - http://www3.ca.com/virusinfo/virus.aspx?ID=36725
      - http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100261
      - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A
      - http://www.sophos.com/virusinfo/analyses/trojbyteveria.html


- - --------------------------END INCLUDED TEXT--------------------



iQCVAwUBQW9tDyh9+71yA2DNAQLycQP/Ux8a1QBWfz+Y3PIMR1aT0HoUDx5n3qfC
yz8fVvheKYFWyQNenLO1tQcBMZmF5sxVqge4HMQRln3siOTfddzUlHnTzHXbDblA
QiCJaA8e8YRCT5aCCDHQSqhdK3Sk2Z/DmpqcG/uLO5bAqFz3GeJEdfKTLTwXMwkM
w3yBAC4xHQs=
=Ocnf
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of AusCERT for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQW/SbYpao72zK539AQEJWgQAhHZvlxgLW61ZIvKoZk30uPNSj5oxx/aW
2WZLN9IXDenoobG/0jD8OY01QttavMQ75/o0n9tUu5DGsRo30258rt4rfbKkBxB5
sGrXISdRtFqJWsFDBnVA1bznK41RXyyPjrjAbBb7iBXOqkrGuEXU77Zgd8+cDJxT
OsY+3R/bZEg=
=Ufi4
-----END PGP SIGNATURE-----