Computer Crime Research Center


Phishers Play Off

Date: April 29, 2005
Source: InformationWeek
By: Gregg Keizer

Misspelled domains have been used by the scabrous almost since URLs were created. Pornographers were among the first to adopt the tactic of registering domains that are slightly off legitimate sites' spelling, or play off confusion between. .com and .gov.

Spyware authors and phishing scammers are using a technique almost as old as the Internet to draw unsuspecting users: Web sites purposefully designed to take advantage of typing errors.

Finnish security firm F-Secure has discovered a site just one letter different than that when accidentally visited, drops a slew of malicious software on users' PCs.

The site, and several affiliated sites, are registered to various Russian nationals, said F-Secure, which has alerted local authorities.

Visitors who stumble on the site by mistyping are immediately presented with two pop-up windows linked to sites that in turn load executable files exploiting several Windows vulnerabilities. By the time the entire sad episode's over, the machine has been infected with two backdoor components, two Trojans that drop a pair of DLLs onto Windows, a proxy Trojan, a Trojan-style piece of spying that steals bank-related information, and Trojan downloader that can retrieve and install yet more malware.

To top it off, several pieces of less-malicious adware are added to the PC.

The Trojans want to stay put on the machine, said F-Secure, as evidenced by behavior such as modifying the Windows HOSTS file so that connections can't be made to several anti-virus firms' update sites. Some are also extremely cynical, for they cause pop-ups to appear on the screen that scream "VIRUS ALERT! YOUR PC IS INFECTED!" The fake alert includes a link to a site from which users can download various anti-virus and anti-spyware programs.

"The entire model for phishers is to re-route people to malicious Web sites," said Avivah Litan, research director with Gartner. "They've been using this technique for the last 18 months or so. It's definitely primitive -- most phishers have gone on to more sophisticated methods -- but it still works."
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-05-02 16:25:28 - I'm so confused!!!!!!!!!!!!! John Smith
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo