June 23, 2007
Case users are advised to be wary of new phishing messages which have graced some inboxes this summer.
The most recent case is an email message masquerading from 'firstname.lastname@example.org' with the subject line, "Download a New Update for Windows!" The link for the update is a false reference and targets users to install malicious software.
There have also been various 'greeting card' messages such as, "You've received a postcard from a family member!" which look like phishing messages, but they are attempts to lure users to a specially crafted web site that exploits a number of browser vulnerabilities. WARNING! If you click the link, your browser will launch to a Web site that returns a page stating "We are currently testing a new browser feature. If you are not able to view this ecard, please _click here_ to view in its original format."
7-2-2007: This appears to be a wave of the 'Storm Worm' per SANS.
The link presented in "click here" goes to a Trojan downloader that downloads multiple components, making up a "Storm Worm" infection. Presumably, if any of the browser exploits above work, the downloader Trojan will be downloaded and run without user interaction.
Users are advised to never click on links in these types of unsolicited messages, even if they seem innocent (such as the greeting card message). The pathway to execution and installation of these malware examples is paved with well if you run with administrative privileges (e.g. Administrators group in Windows). You should have two accounts- one for administrative functions (updates, installation, other maintenance), and one for regular use.
Additionally, stopping phishing needs you to act: forward the message to email@example.com. Reporting to CastleCops gets a process started by volunteer handlers to shut down the phishing servers.
More details on phishing can be found at http://SecurityAware.case.edu.
Posted by Thomas Siu at 01:52 PM