p2p news / p2pnet: Warnings about the highly dangerous Microsoft WMF security hole have been published on- and offline for more than 10 days but Finland’s F-Secure says it believes the owners of most vulnerable Windows machines still haven’t installed the patch.

“We also believe this vulnerability will continue to be used by various different attackers for months, possibly years,” says company research director Mikko Hyppönen. “Today we saw a phishing scam exploiting this vulnerability,” he says on the F-Secure blog.

“This scam works by sending out emails, urging customers of the global HSBC bank to visit a site called www[dot]jhsbc[dot]com. This domain, naturally, has nothing to with the real bank but it sounds close enough.”

The scam site is running on a home computer connected to the Net by a high-speed cable connection somewhere in Illinois. It’s hosting, or has been hosting, several other phishing-related domains, “including these gems that administrators might want to filter at their gateways”.

• www[dot]i7tgg4rv[dot]com
• www[dot]ll67ffgsp[dot]com
• www[dot]mrhpd74e[dot]com
• www[dot]pph4e32q[dot]com.

The WMF connection, “comes from the fact that if you visit this site (and please don’t), the front page contains an IFRAME that will try to push an exploit file called tr.wmf to your system,” states Hyppönen, adding:

“When that is executed, it will download a file called update.exe from the same server. This unexpected gift turns out to be a variant of the Trojan-Spy.Win32.Goldun family, which will start to collect information from the system.”

Also See:
the patch – ‘Critical’ Microsoft WMF flaw fix, January 6, 2006
blog – WMFishing, January 16, 2005

This entry was posted on Monday, January 16th, 2006 at 11:58 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2814 times