SANS Report On Identity Theft and Attacks On Computer Users

The SANS Institute's summary of the most important current viruses,
phishing announcements, and damaging hoaxes - written without jargon:

OUCH: The Report On Identity Theft and Attacks On Computer Users
August 2, 2004

Every day, thousands of people are fooled by emails from criminals
trying to steal their identities or infect and take over their
computers.  This update is our attempt to help you avoid being one of
the victims.

Part 1. Subject Lines You May See In Emails That Are Trying To Hurt You

I. Emails from people trying to infect your system and steal your
        friends' email addresses for spam
   I.1 Pictures of Osama Bin Laden hanging or Arnold Schwarzenegger's
         suicide note
   I.2. Email from your system administrator or other familiar sender
         that says your email could not be delivered, or some similar
         statement.
   I.3. Email with subject "Against!" or "Revenge"
   I.4. Email with subject Re_ and body with animals or foto or other
         subjects
 

II. Emails from people trying to steal your identity (and your money)
   II.1. Update Your Billing Information (from eBay)
   II.2. Your account at eBay has been suspended
   II.3. Your account at Wells Fargo has been suspended
   II.4. Notification of US Bank Internet Banking
   II.5. Attn: Citibank Update
 

III. Emails from people trying to fool you into hurting yourself or
        your friends and coworkers
   III.1 Subject: "jdbg" Virus: how to detect and remove.
 

Part 2. More Details About Each Attack

Part I: Emails from people trying to infect your system and steal your
        friends' names for spam

I.1. Name: Hackarmy

The bait: An email or news article claiming to offer you copies of
pictures of Osama Bin Laden being hanged.  A second form comes
claiming to have a suicide note from Arnold Shwarzenegger.

How it infects your system: You click on a link that downloads a zip
file. You execute the file thinking you will see the pictures.

What it does to you: Gives attackers remote control of your computer so
they can use it in attacks on other people, or harvest email names for
spam.

Where to find detailed information:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html

I.2. Name: Mydoom-O

The bait: An email from your mail or system administrator or other
familiar sender with any one of the following subjects: (1) say helo to
my litl friend, (2) click me baby, (3) one more time, (4) hello, (5)
error, (6) status, (7) test, (8) report, delivery failed, (9) Message
could not be delivered, (10) Mail System Error - Returned Mail,  (11)
Delivery reports about your e-mail,  (12) Returned mail: see transcript
for details, (13) Returned mail: Data format error. Each has an
attachment.

How it infects your system: you download and open the attachment.

What it does to you: steals all email addresses from you to be sold to
spammers, spreads to other sites from your machine.  It also uses your
system to send requests to search engines like Google to look for more
email addresses.

Where to find more detailed information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html
 

I.3. Name: Atak-C

The bait: An email that arrives with the subject "Attack!" or "Revenge"
and a zipped attachment

How it infects your system: you download and open the attachment.

What it does to you: steals all email addresses from you to be sold to
spammers.

Where to find more detailed information:
http://www.sophos.com/virusinfo/analyses/w32atakc.html
 

I.4. Name: Beagle

The bait: An email that arrives subject Re_ and with an attachment.

How it infects your system: you download and open the attachment.

What it does to you: disables antivirus and other important software,
mass mails itself to others, steals email addresses from throughout your
files, gives attacker remote control of your computer to use to attack
other systems.

Where to find more detailed information:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39641
 

II. Emails from people trying to steal your identity (and your money)

II.1 Update Your Billing Information (from eBay)

The bait: An email coming from eBay saying the company has "detected a
slight error in your billing information" and saying that you must fix
it within 48 hours to continue to buy or sell on eBay.

What it tries to make you do: click on a link and tell them your eBay
and paypal username and password, and your credit/debit card information

Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-27-04%20Ebay%20(Update%20Your%20Billing%20Informations).html
 

II.2 Your account at eBay has been suspended

The bait: An email coming from eBay saying your account has been
suspended and "We had to block your eBay account"

What it tries to make you do: click on a link and tell them your eBay
and paypal username and password, and your credit/debit card information

Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-26-04_Ebay_(your_account_at_ebay_has_been_suspended).html

II.3 Your account at Wells Fargo has been suspended

The bait: An email coming from eBay saying your account has been
suspended and "Your account has been compromised by outside parties."

What it tries to make you do: click on a link and tell them your
username, password, and credit card information

Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/06-29-04_Wells_Fargo_(Your_account_at_Wells_Fargo_has_been_suspended).html

II.4. Notification of US Bank Internet Banking

The bait: An email coming from US Bank saying, "as a preventative
measure, we have temporarily limited access to some features"

What it tries to make you do: click on a link and tell them username,
password, credit card data or debit card data.

Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-23-04_US_Bank_(Notification_of_US_Bank_Internet_Banking).html

II.5. Attn: Citibank Update

The bait: "Click here" link in an email that seems to come from
Citibank.

What it tries to make you do: click on a link and tell them personal
information and credit card or debit card data.

Where you can see how it actually appears:
http://www.fraudwatchinternational.com/fraud_alerts/040721_1046_citibank.htm
http://www.antiphishing.org/phishing_archive/07-21-04_Citibank_(Attn_Citibank_Update).html

II.6  Confirm AOL Billing Info

The bait: An email coming from AOL saying your billing information is
out of date and asking you to "spend several minutes and update your
billing records"

What it tries to make you do: click on a link and tell them personal
information and credit card or debit card data.

Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-20-04_AOL_(Confirm_AOL_billing_info).html
 

III. Emails from people trying to fool you into hurting yourself or
your friends and coworkers

III. 1. jdbg Hoax

The bait: An email telling you about a virus and how to remove it.

Example: "Subject: "jdbg" Virus: how to detect and remove." May also
talk about finding a teddy bear on the machine - because the file has a
bear as a symbol.

What it is trying to make you do: remove a file that is not harmful

Where to find more information:
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

==end==

Thanks to CipherTrust for helping to providing some of the data on which
this issue was based.

Copyright, 2004. The SANS Institute. Information security officers have
permission to redistribute this material to employees of their
organizations. Anyone else wanting to redistribute it must get prior
written approval by telling us the groups to whom you would redistribute
it and requesting approval. Email info@sans.org with subject "Permission
to redistribute security awareness newsletter."


Return to the San Jose IBM PC Club's home page