Phishing Scam Uses Google Maps
Victims in Australia, Germany, and the U.S. are being targeted by a phishing
scam that reveals their location using Google Maps.
Darren Pauli, Computerworld Australia
Tuesday, February 20, 2007 06:00 AM PST

Account holders with at least two Australian banks have become victims of a
phishing scam in which malicious code reveals the physical location of
affected IP addresses using Google Maps. Bank account holders in Germany and
the U.S. have also been targeted.

The software installs a trojan capable of key-logging user activity,
hijacking infected computers.

The scam was circulated as a false news report claiming the Australian prime
minister had suffered a heart attack. It installs a trojan and backdoor code
to capture all user input as well as compromising a Web server to allow the
hacker to hijack the victims' computer. 

The hacker is then provided with details on the number of infected machines
in each country, while the Google Maps server is used to translate IP
information to pinpoint the machines' physical location.

Websense Australia and New Zealand country manager Joel Camissar believes
hackers could potentially use Google Maps to assist in identity theft.

"The hackers could correlate user information acquired from the key-logger
with knowledge of where a user is located from Google Maps to masquerade as
them," Camissar said. "With this they could access bank accounts and social
security numbers."

Camissar said there are around 750 infected desktops in Australia.

Westpac and the Commonwealth Bank were among those specifically targeted in
Australia, while Bank of America and Germany's Deutsche Bank were also
attacked. Westpac and the Commonwealth Bank were unavailable to comment at
the time of publication.

Sophos senior technology consultant Graham Cluley said users are directed to
a 404 error page which downloads the code. 

"Recipients of the e-mail are encouraged to click on a link to obtain the
latest information on Howard's health; however, this link takes users to a
Web page which downloads malicious code to their PC, and then displays the
real '404 page not found' error page," Cluely said.

"The scammers have registered several domain names that appear to be
associated with a newspaper, and have gone to great effort to make people
think that they really are visiting the genuine site by pointing to a real
error page." "Everyone should be on their guard against this kind of e-mail
con-trick, or risk having their PC infected."

Camissar was unsure whether Websense acquired the information through sample
code provided by AusCERT or by accessing the hackers' servers.

Read About It
Information about BackDoor-CWW is located on VIL at:
http://vil.nai.com/vil/content/v_137796.htm

Detection
This new variant of BackDoor-CWW was first discovered on February 20, 2007
and detection for this variant will be added to the 4968 Dat files (Release
Date: February 21, 2007).

Though we consider this a low threat, An EXTRA.DAT file may be downloaded
via the McAfee AVERT Extra.dat Request Page:
<https://www.webimmune.net/extra/getextra.aspx>

If you suspect you have BackDoor-CWW, please submit a sample to
<http://www.webimmune.net>


Mike Grant
Bytware, Inc.
775-851-2900 

http://www.bytware.com


CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this e-mail 
message contain information that may be privileged and confidential.  This 
e-mail and any attachments are intended solely for the use of the individual or 
entity named above (the recipient) and may not be forwarded to or shared with 
any third party.  If you are not the intended recipient and have received this 
e-mail in error, please notify us by return e-mail or by telephone at 
775-851-2900 and delete this message.  This notice is automatically appended to 
each e-mail message leaving Bytware, Inc.  



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.