Web Attack Targets Financial Data
A new Internet attack discovered this week was designed by an infamous group of Russian virus writers to steal credit card and other financial information from Web surfers and send it to Web sites where it can be retrieved by hackers, security experts warn.
According to Hypp
This code, which security researchers are calling "Scob," connects the user's PC to Web addresses run by the hackers from which they can silently download and install a Trojan horse. This then uses a keystroke logger to collect Web surfers' passwords, logins, PayPal payment data, and other sensitive information, Hypp
"It just boggles the mind when you see the amount of information available on these sites--credit card numbers, banking information--and its available to anyone who knows the Web sites," Hypp
He adds, however, that the Web addresses where the information is being stored are not obvious and that potential hackers would have to reverse engineer the code to find them.
Law authorities, who were already investigating the Korgo group, have an open investigation into the case and are working on shutting down the sites, Hypp
Graham Cluley, senior technology consultant at security firm Sophos, says that his team has also connected the threat to the Korgo group. However, he says that in their research they have not been able to get through to the Web addresses that download the Trojan horse.
"So far it doesn't cause much harm, but the hackers could choose to redirect users to other addresses that work," he says.
Cluley also warns that the hackers could choose to change the Trojan horse, enabling it to launch a spam or denial-of-service attack. "The world is really their oyster," he says.
Security experts have said that the attack only affects users of certain versions of Microsoft's Internet Explorer browser.
Additionally, Cluley says that it appears that the threat only affects Web servers running Microsoft IIS 5 (Internet Information Services) Web Server software and not Microsoft IIS 6, which comes with Windows 2003 Server.
In the meantime, various antivirus firms are working to update their products to protect against the threat. As of early Friday morning, F-Secure had updated its offering to protect users, Hypp
Additionally, Cluley says that there has been some evidence that Web sites have been able to avoid the threat because they downloaded a patch made available by Microsoft in April to thwart the Sasser worm.
"Our advice is that everyone download the Sasser patch," Cluley says. "And really, sites that haven't done so yet, that have slept through the whole Sasser hoopla, really cannot say that they take their network security seriously."
Because most sites should have patched against Sasser, and Sophos has been unable to connect to the addresses hosting the Trojan horse code, Cluley believes that the attack is not a huge threat so far. However, he warns that this could change.
The threat was initially detected late Thursday, with managed security services firm NetSec and the SANS Institute's Storm Center warning against the vulnerability.
So far all of the security researchers have remained tight-lipped about which major Web sites are being affected by the attack. It is also unclear how many users and sites have been affected so far.