Phishers go round the world to hook Aussie victims

Researchers from Sophos have traced the route of a phishing attack that targeted Australian banking customers -- the fraudsters used numerous compromised servers in Korea, the US and Malaysia.

According to Sophos, the campaign kicked off when an attacker posing as a security company called "antifraud" e-mailed Australian account holders to warn them that their online banking services were to be suspended.

"Please note that from May the 14th the online-banking service in Australia will be suspended due to a vigorous hacker attack on the Web sites of the most popular Australian banks (National, Common, Bendigo, BOQ etc.)," the e-mail said.

The e-mail asked users to click on a link for more information.

If the user did click, Sophos said the victim was sent to a hacked Korean server. This computer served up a fake "500 internal server error" page -- which was actually a real page containing an invisible iFrame command.

The iFrame command opened a hidden browser window into which another Web page was downloaded, this time from a compromised machine in Malaysia. Sophos found that this page contained some scrambled JavaScript code and was responsible for launching the first in a series of malware programs.

The malware requested the Background Intelligent Updating Service (BITS) -- a program used to download updates in versions of Windows (from XP2 on) -- to load and launch a second malware program -- this time from a hacked server in the US.

Sophos said the hacked American server then made a nifty side-step, re-directing the download request to one of two other sites, one of which was yet another hacked server in Korea -- back where our journey began.

It's here that, finally, the attacker goes for the gullet -- by attempting to deliver the user a program called Troj/Goldun-FS, which contained code capable of bypassing many of the firewall solutions available from AV vendors.

Paul Ducklin, head of technology at Sophos Asia Pacific, said the twists and turns of the scam provide "an interesting insight into modern cybercrime."

Ducklin said that unlike traditional viruses, malware and phishing attacks are coming armed with the capability to adjust to the level of a user's defence or to where the user is situated. The path Sophos traced is one of many the attack could have taken -- like a regular "Choose Your Own Adventure".

"The interesting thing is that this is not traditional phishing -- where it redirects you to an artificial banking site and asks for your details," Ducklin says. "There is no suggestion that you as a user need to act."

"Nevertheless, the convoluted nature of this attack gives you multiple chances to head it off," Ducklin said. "There are several things the attacker relies on to go right. A user with a patched machine, with their administration privileges switched off, with a firewall switched on and at the right settings, would have headed it off. You need to have made five mistakes to get there."

"Defence in depth multiplies your resistance to modern cybercrime, including, of course, the opportunity not to be seduced into clicking on a link in an unlikely and unexpected e-mail -- which in this case, would stymie the attackers up front."