OUCH: The Report On Identity Theft and Attacks On Computer Users
Volume 1, No. 8. August 3, 2004

 

Every day, thousands of people are fooled by email from criminals trying
to steal their identities or infect and take over their computers. This
update will help you avoid being a victim. The attacks listed here are
the tip of the iceberg. To be safe, don't open email attachments from
anyone unless you were expecting the attachment. And don't click on
links in emails unless you can guarantee the email came from someone who
is not trying to fool you.

Contents
Harmful Email Subjects to Avoid
I. Emails from people trying to infect your system and steal your
friends' email addresses for spam
I.1. Pictures of Osama Bin Laden hanging or Arnold Schwarzenegger's
suicide note
I.2. Email that seems to come from your system administrator or
other familiar sender that says your email could not be
delivered, or some similar statement.
I.3. Email with subject "Against!" or "Revenge"
I.4. Email with subject Re_ and body with animals or foto or other
subjectsII. Emails from people trying to steal your identity (and your money)
II.1. Update Your Billing Information (from eBay)
II.2. Your account at eBay has been suspended
II.3. Your account at Wells Fargo has been suspended
II.4. Notification of US Bank Internet Banking
II.5. Attn: Citibank Update
II.6 Confirm AOL Billing InfoIII. Emails from people trying to fool you into hurting yourself or
your friends and coworkers
III.1 Subject: "jdbg" Virus: how to detect and remove.


More Details About Each Attack
I: Emails from people trying to infect your system and steal your
friends' names for spam
I.1. Name: Hackarmy
The bait: An email or news article claiming to offer you copies of
pictures of Osama Bin Laden being hanged. A second form claims
to have a suicide note from Arnold Schwarzenegger.
How it infects your system: You click on a link that downloads a zip
file. You execute the file thinking you will see the pictures.
What it does to you: Gives attackers remote control of your computer so
they can use it in attacks on other people, or harvest email names for
spam.

Where to find detailed information:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html

I.2. Name: Mydoom-O
The bait: An email that seems to come from your mail or system
administrator or from another familiar sender, with an attachment
and with any one of the following subjects: (1) say helo to my litl
friend, (2) click me baby, (3) one more time, (4) hello, (5) error,
(6) status, (7) test, (8) report, delivery failed, (9) Message could
not be delivered, (10) Mail System Error - Returned Mail,
(11) Delivery reports about your e-mail, (12) Returned mail: see
transcript for details, (13) Returned mail: Data format error.
How it infects your system: You download and open the attachment.
What it does to you: Steals all email addresses from you to be sold to
Spammers; spreads to other sites from your machine. It also uses your
system to send requests to search engines like Google to look for more
email addresses.

Where to find more detailed information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html

I.3. Name: Atak-C

The bait: An email that arrives with the subject "Attack!" or "Revenge"
and a zipped attachment

How it infects your system: You download and open the attachment.
What it does to you: Steals all email addresses from you to be sold to
spammers.

Where to find more detailed information:
http://www.sophos.com/virusinfo/analyses/w32atakc.htm

lI.4. Name: Beagle

The bait: An email with subject Re_ and body with animals or foto or
other subjects, and an attachment.
How it infects your system: You download and open the attachment.
What it does to you: Disables antivirus and other important software,
mass mails itself to others, steals email addresses from throughout
your files, gives attacker remote control of your computer to use to
attack other systems.
Where to find more detailed information:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39641


II. Emails from people trying to steal your identity (and your money)
II.1 Update Your Billing Information (from eBay)
The bait: An email that looks as if it comes from eBay saying the
company has "detected a slight error in your billing information" and
saying that you must fix it within 48 hours to continue to buy or sell
on eBay.

What it tries to make you do: Click on a link and tell them your eBay
and PayPal username and password, and your credit/debit card
information

Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-27-04%20Ebay%20(Update%20Your%20Billing%20Informations).html

II.2 Your account at eBay has been suspended
The bait: An email that looks as if it comes from eBay saying your
account has been suspended and "We had to block your eBay account"
What it tries to make you do: Click on a link and tell them your eBay
and PayPal username and password, and your credit/debit card
information
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-26-04_Ebay_(your_account_at_ebay_has_been_suspended).html


II.3 Your account at Wells Fargo has been suspended
The bait: An email that looks as if it comes from Wells Fargo saying
your account has been suspended and "Your account has been compromised
by outside parties."
What it tries to make you do: Click on a link and tell them your
username, password, and credit card information.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/06-29-04_Wells_Fargo_(Your_account_at_Wells_Fargo_has_been_suspended).html

II.4. Notification of US Bank Internet Banking
The bait: An email that looks as if it comes from US Bank saying, "as a
preventative measure, we have temporarily limited access to some
features."
What it tries to make you do: Click on a link and tell them username,
password, credit card data or debit card data.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-23-04_US_Bank_(Notification_of_US_Bank_Internet_Banking).html

II.5. Attn: Citibank Update
The bait: "Click here" link in an email that seems to come from
Citibank.
What it tries to make you do: Click on a link and tell them personal
information and credit card or debit card data.
Where you can see how it actually appears:
http://www.fraudwatchinternational.com/fraud_alerts/040721_1046_citibank.htm
http://www.antiphishing.org/phishing_archive/07-21-04_Citibank_(Attn_Citibank_Update).html

II.6 Confirm AOL Billing Info
The bait: An email that seems to come from AOL saying your billing
information is out of date and asking you to "spend several minutes
and update your billing records."
What it tries to make you do: Click on a link and tell them personal
information and credit card or debit card data.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-20-04_AOL_(Confirm_AOL_billing_info).html


III. Emails from people trying to fool you into hurting yourself or your
friends and coworkers

III. 1. jdbg Hoax
The bait: An email telling you about a virus and how to remove it.
Example: "Subject: "jdbg" Virus: how to detect and remove." May also
talk about finding a teddy bear on the machine - because the file has a
bear as a symbol.
What it is trying to make you do: Remove a file that is not harmful.
Where to find more information:
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

SANS extends its thanks to the 175 organizations that helped develop the
format and content of this alert. Special thanks go to CipherTrust
(http://www.ciphertrust.com) for providing lists of the most important
threats.
Copyright 2004, The SANS Institute. http://www.sans.org
Permission is granted to copy and redistribute this material to whomever it will help.