Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: New Phising attack FUD or Real?
From: phased <phased () mail ru>
Date: Fri, 05 Nov 2004 01:11:47 +0300


Certainly modifying host file is not a new idea, there are botnet style worms
that do this for AV and so forth, and there are specific modified bots that
target certain bank site hostnames.  They are often not used on that large a scale so dont often get noticed, and the 
majority are self cleaning after the job has been done.

The media often over hypes these things and talks shit, such as this http://in.tech.yahoo.com/041103/137/2ho4i.html.

"LONDON (Reuters) - A file-sharing program called BitTorrent has become a behemoth, devouring more than a third of the 
Internet's bandwidth, and Hollywood's copyright cops are taking notice."

I wonder where they got their data from, MORE THAN A THIRD OF THE INTERNETS BANDWIDTH! How accurate do you think this 
is?

-----Original Message-----
From: Dave King <davefd () davewking com>
To: Full Disclosure <full-disclosure () lists netsys com>
Date: Thu, 04 Nov 2004 14:30:07 -0700
Subject: [Full-disclosure] New Phising attack FUD or Real?


There have been several sites that have announced a new phishing attack 
that's been found in Brazil that rewrites the hosts file so that when 
certain bank urls are entered they get directed to the site in the hosts 
file rather than look it up on their DNS server.  While I've never seen 
such an attack, I've been expecting this to happen eventually (if it 
hasn't already happened).
the unpatched Outlook, no SP2 and basically assuming that the user is 
using either Outlook or Outlook Express.  It seems that the machines 
I've mentioned would not only have to open the email, but manually run 
the script.  While I'm not saying this wouldn't ever happen, it's not 
what they're saying.  To me this is spreading FUD and not responsible 
reporting.

Let me know if I'm wrong and other mail clients would be vulnerable to 
this attack or if SP2 machines are vulnerable.  I also believe it is a 
good idea to disable WSH unless you need it (as it's a good idea to 
disable anything you don't use).

Here are links to several stories about this new phishing scan.

http://story.news.yahoo.com/news?tmpl=story&cid=74&e=4&u=/cmp/20041104/tc_cmp/51202564 

http://story.news.yahoo.com/news?tmpl=story&cid=75&e=3&u=/nf/20041104/tc_nf/28135 

http://www.net-security.org/press.php?id=2626
http://www.vnunet.com/news/1159171
http://www.theregister.co.uk/2004/11/04/phishing_exploit/

the only article that seems to says anything about patched users being 
protected that I could find was this one:
http://software.silicon.com/security/0,39024655,39125549,00.htm

Dave King
http://www.thesecure.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]