Key-logging phishing scam targets internet banking users

The combination of an exploit of a serious vulnerability in Internet Explorer (IE) and a phishing email is posing a serious threat to Internet banking users.

Australian security experts said in an advisory the vulnerability allowed the remote execution of arbitrary code on a local computer by a malicious website.

The perpetrators of the exploit lure unsuspecting Australian users to the malicious website by widely distributing spam emails - purporting to be from one of the Big Four local banks - containing what appears to be a legitimate link to the bank's internet banking site.

The IE vulnerability, however, has allowed the fraudsters to spoof the URL of the bank's legitimate website by manipulating the information displayed in the status bar using an embedded form. The "From:" field of the emails include what is likely to be a valid email address for the bank they purport to be from.

Those who click on the link are directed to a website, however, which automatically executes a malicious key logger program on their computer. The user is then automatically directed to the bank's real internet banking website. The program then captures log-in details when the user logs in to the real site and sends those back to the fraudsters via an email sent via an anonymous mail server based in Russia.

AusCERT senior security analyst Jamie Gillespie said the use of URL obfuscation and exploit to install a program went beyond previous phishing scam moves to fool users into entering data into a fake website.

"[These exploits allow the perpetrators to] capture details when the user enters a true web banking site," he said.

The body copy of the malicious email reads as following:

Dear user!

We are informing you that today, the amount of $XXX AUD has been drawn out of your account. Technical assistance of YYY Bank http://www.ZZZ.com.au

AusCERT said initially in its advisory that it was unaware of any patch being released by Microsoft to deal with the IE vulnerability. Microsoft Australia, however, late in the day released a statement saying it had identified the vulnerability in December last year and released a patch. Gillespie nonetheless warned that AusCERT believed that a large number of home users may not be patched and would still be vulnerable.

Iain Ferguson writes for ZDNet Australia. For more news from ZDNet Australia click here.