Message-ID: <418A9DEA.6040604@davewking.com>
From: dave at davewking.com (Dave King)
Subject: New Phising attack FUD or Real?

There have been several sites that have announced a new phishing attack 
that's been found in Brazil that rewrites the hosts file so that when 
certain bank urls are entered they get directed to the site in the hosts 
file rather than look it up on their DNS server.  While I've never seen 
such an attack, I've been expecting this to happen eventually (if it 
hasn't already happened). 

The part of the stories I've read that seem a little strange is that 
they say this attack will happen without any type of user interaction 
besides opening the email.  It seems that the writers are leaving out 
the unpatched Outlook, no SP2 and basically assuming that the user is 
using either Outlook or Outlook Express.  It seems that the machines 
I've mentioned would not only have to open the email, but manually run 
the script.  While I'm not saying this wouldn't ever happen, it's not 
what they're saying.  To me this is spreading FUD and not responsible 
reporting.

Let me know if I'm wrong and other mail clients would be vulnerable to 
this attack or if SP2 machines are vulnerable.  I also believe it is a 
good idea to disable WSH unless you need it (as it's a good idea to 
disable anything you don't use).

Here are links to several stories about this new phishing scan.

http://story.news.yahoo.com/news?tmpl=story&cid=74&e=4&u=/cmp/20041104/tc_cmp/51202564
http://story.news.yahoo.com/news?tmpl=story&cid=75&e=3&u=/nf/20041104/tc_nf/28135
http://www.net-security.org/press.php?id=2626
http://www.vnunet.com/news/1159171
http://www.theregister.co.uk/2004/11/04/phishing_exploit/

the only article that seems to says anything about patched users being 
protected that I could find was this one:
http://software.silicon.com/security/0,39024655,39125549,00.htm

Dave King
http://www.thesecure.net

Powered by blists - more mailing lists