Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #36

September 09, 2004


1. At the end of this issue of NewsBites, you'll find the second monthly issue of OUCH, the free email newsletter that helps educate your users (and family and friends) about how to avoid phishing attacks and viruses and hoaxes. Cut it out and send it to anyone who will benefit from it.

2. Have you ever felt that software vendors and ISPs should do more to protect users (instead of blaming users)? You'll find strong support for that view in the two-part investigative series that starts today in USA Today. It is the first story in Top of the News.

3. If you are thinking about coming to Las Vegas for Network Security 2004 at the end of September, make your hotel reservation this week. The conference hotel is just about out of rooms.

Alan

TOP OF THE NEWS

Investigative Report: How Hackers Infect PCs To Spread Spam and Steal Money
CIO Council Issues Information Sharing Security and Privacy Guide for Agencies
DoJ Crackdown Reveals Government Computers Were Commandeered for Spamming
China Legalizes Digital Signatures

SPECIAL REPORT

Behind the Scenes at the Internet Storm Center

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Alleged eBay Domain Hijacker arrested
Accused "War Spammer" Makes Plea Agreement
Man Receives Three Year Sentence for Software Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Red Hat Releases Update 3 for Enterprise Linux 3
Patches Available for Linux Qt Library Flaw
WinZip Buffer Overflow Vulnerabilities
Oracle Releases First Monthly Security Bulletin
Double Free Vulnerabilities in Kerberos
Japanese Windows Users Can Get SP2 at Post Office
Bagle Variant Loses Steam
Nullsoft Releases Patch for WinAmp Skins Flaw
STANDARDS AND BEST PRACTICES
Best Practices for XML Web Services Security
Open Source Vulnerability Database Compiles Vendor Directory to Aid Disclosure
MISCELLANEOUS
A week with an open proxy
McAfee AV Signature File Mistakes Legitimate Software for Trojan
Spyware Could Hinder SP2 Installation
South Korean Airport Network is Vulnerable to Attacks
Australian Online Betting Sites Targeted by Protection Schemes
Mumbai Police Find No Evidence of Theft at Jolly Facility
Missing California State University Hard Drive was Probably Thrown Away

EXTRAS

1. Securing Apache
2. Encrypted Email Research Project
3. Your copy of OUCH: The newsletter on phishing, viruses and scams.


************************ Sponsored by BindView **************************

REGISTER! HIPAA: Proving Due Care to Customers, Investors, and Jurors

Attorneys are using healthcare security breaches to file civil suits against organizations. Join BindView and a panel of compliance and legal experts for an online presentation on how to protect yourself and your organization.
http://www.bindview.com/Events/GetEvents.cfm?NUM=1193&AD=NS-SANS0921WBNR-Q30
4

FREE HIPAA Security Whitepaper: Critical Success Factors for Implementation and Compliance https://ocp.bindview.com/Surveys/Main/csLeadRouting.cfm?NUM=1195&AD=NS-SANSH
IPAAWP-Q304


*************************************************************************

Featured Training Program of the Week
Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South.
That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four different topics, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference. http://www.sans.org/cdisouth04/
*************************************************************************

TOP OF THE NEWS

Investigative Report: How Hackers Infect PCs To Spread Spam and Steal Money

In a landmark study of the economics and techniques of hackers, two top reporters from USA Today have painted a vivid picture of what is really going on in cyber crime today and how it involves millions of home and business users. This article is the first of two parts. Part One vividly illustrates the problem and ends with the challenge: "Consumer outrage needed." On Thursday, September 9, Part Two shows that the problem will just get worse if vendors and ISPs continue to refuse to do their fair share to reduce the risk.
-http://www.usatoday.com/money/industries/technology/2004-09-08-zombieuser_x.htm

CIO Council Issues Information Sharing Security and Privacy Guide for Agencies (3 September 2004)

The CIO Council, with help from the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST) and industry groups, has released the Federal Enterprise Architecture Security and Privacy Profile, a guide designed to help agencies balance their need to share information with their need to be aware of security and privacy issues. The guide encourages federal managers to incorporate security and privacy into information systems as early in their development as possible.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27147

-http://www.fcw.com/fcw/articles/2004/0830/web-fea-09-03-04.asp

DoJ Crackdown Reveals Government Computers Were Commandeered for Spamming (30 August 2004)

The Justice Department's Operation Web Snare, a cyber crime crackdown that netted over 150 arrests, turned up evidence that government computers were hijacked and used as zombie machines to send spam. The compromised computers, which numbered in the hundreds, belong to the Defense Department and the US Senate.
-http://www.usatoday.com/tech/news/computersecurity/2004-08-30-cyber-crime_x.htm

China Legalizes Digital Signatures (30 August 2004)

In an effort to bolster its fledgling ecommerce market, China has legalized digital signatures.
-http://www.securitypipeline.com/news/showArticle.jhtml?articleId=46200170&pr
intableArticle=true


SPECIAL REPORT

Behind the Scenes at the Internet Storm Center (6 September 2004)

This article follows SANS Internet Storm Center CTO Johannes Ullrich through a shift in late July during when MyDoom.O appeared on the scene.
-http://www.nwfusion.com/research/2004/090604sans.html?page=1

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Alleged eBay Domain Hijacker arrested (4 September 2004)

German police have arrested a 19-year-old man for allegedly hijacking eBay Germany's domain. The young man, who is not a computer expert said he requested DNS transfers "just for fun" and meant no harm. Most of his requests were denied, but for some reason, the eBay request was allowed.
-http://www.theregister.co.uk/2004/09/04/ebay_domain_hijacker_arrested/print.html

Accused "War Spammer" Makes Plea Agreement (8/3 September 2004)

Nicholas Tombros, who allegedly drove around a California neighborhood searching for unsecured wireless access points which he then used to send spam, has reached a plea agreement with prosecutors. The case was filed under criminal provisions of the CAN-SPAM Act, and marks the first time someone has been prosecuted for breaking into wireless networks to send spam.
-http://www.securityfocus.com/printable/news/9453
-http://networks.silicon.com/mobile/0,39024665,39123801,00.htm

Man Receives Three Year Sentence for Software Piracy (3 September 2004)

Alexander Tobolsky has been sentenced to just over three years in prison for copyright infringement. Mr. Tobolsky sold pirated copies of Intuitfinancial software over the Internet.
-http://www.itsecurity.com/tecsnews/sep2004/sep58.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Red Hat Releases Update 3 for Enterprise Linux 3 (7 September 2004)

Red Hat has released Update 3 for Red Hat Enterprise Linux 3. The update includes features that protect against stack, pointer and bufferoverflows and extended No Execute (NX) support.
-http://www.eweek.com/print_article/0,1761,a=134828,00.asp
[Editor's Note (Schultz): Many kudos to Red Hat for building in security right up front.
(Pescatore): While NX support isn't the end to worms, running Linux and Windows servers and PCs on hardware/OS platforms that support NX will make the most common forms of attack harder. Hardware refresh cycles should emphasize moving onto these platforms. ]

Patches Available for Linux Qt Library Flaw (30 August 2004)

A number of Linux vendors have made patches available for a security flaw in the Qt library that could potentially be exploited to crashapplications and execute malicious code. The vulnerability affects Qt versions preceding 3.3.3.
-http://www.computerworld.com/printthis/2004/0,4814,95577,00.html

WinZip Buffer Overflow Vulnerabilities (3 September 2004)

WinZip is urging customers to upgrade to the newest version of its compression utility, WinZip 9.0 SR-1. WinZip released a warning that previous versions are vulnerable to buffer overflow attacks. Affected versions go back as far as version 3.0. The upgrade is available on the company's web site.
-http://www.techweb.com/article/printableArticle.jhtml?articleID=46800120

Oracle Releases First Monthly Security Bulletin (3/2 September/31 August 2004)

Oracle has released its first monthly security bulletin, which contains patches, for a number of vulnerabilities. Some of the vulnerabilities were noted by a researcher in January who has criticized Oracle for not releasing fixes for the flaws as soon as they were complete, but he and his company say they will not release details of the vulnerabilities for three months in order to allow time for administrators to test and apply the fixes. US-CERT has released a warning about the critical vulnerabilities which could allow attackers to shut down or take control of systems running unsecured software or to steal information from unsecured databases. Users are urged to apply the patches as there is no workaround for the flaws.
-http://www.computerworld.com/printthis/2004/0,4814,95638,00.html
-http://www.computerworld.com/printthis/2004/0,4814,95678,00.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39192188-39000005c
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003554,0
0.html

[Editor's Comment (Schultz): I have to chuckle every time I think of Larry Ellison's having labeled Oracle "hackproof" at one time.
(Tan): Instead of more than thirty alerts, now we only get one. This monthly release of alerts is a good strategy. Administrators will now have an easier time planning their tasks and downtime periods. Microsoft has done this and so far it seems to work well. ]

Double Free Vulnerabilities in Kerberos (2 September 2004)

Researchers are warning of double free vulnerabilities in Kerberos which could allow attackers access to unprotected machines. Users are urged to apply patches as they become available. In addition, flaws in the ASN.1 decoder library could allow attackers to put vulnerable machines into an endless loop.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39192189-39000005c
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003561,0
0.html

-http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
-http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt

Japanese Windows Users Can Get SP2 at Post Office (2 September 2004)

Windows XP users in Japan will be able to get free copies of SP2 on CD at post offices and other selected outlets around the country. The CDs are intended mainly for people who have slow Internet connections. Microsoft will send CDs to US customers free of charge but does not plan a free distribution like the one in Japan.
-http://www.securitypipeline.com/news/showArticle.jhtml?articleId=46200852&pr
intableArticle=true

[Editor's Note (Pescatore): I've never liked seeing AOL disks in Post Offices in the US. Not only does it just seem like some sort of conflict of interest, but if you wouldn't eat a donut you found lying around in a post office, why would you take some CD that you found there and load it on your home computer?]

Bagle Variant Loses Steam (2/1 September 2004)

A new Bagle variant, which goes by a variety of names, spread quickly but was thwarted in its second stage; the infected machines were supposed to contact one of 131 sites to download a backdoor program which would allow them to used as zombie machines to send spam. However, none of the sites contained the necessary code. The worm was likely sent out by a spam bot network. It was also supposed to download the code that would allow it to spread to other machines.
-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=46200619
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39165277-39020645t-10000025c

Nullsoft Releases Patch for WinAmp Skins Flaw (30 August 2004)

Nullsoft, an America Online subsidiary, has released a patch for a recently disclosed vulnerability in its WinAmp media player. Researchers have warned that a zero-day exploit for the flaw is circulating. The new version, WinAmp 5.05, will provide users with a confirmation window before installing skins, and it will extract only low risk files before installing any WinAmp skins.
-http://www.internetnews.com/security/article.php/3401151
-http://www.winamp.com/about/article.php?aid=10605

STANDARDS AND BEST PRACTICES

Best Practices for XML Web Services Security (2 September 2004)

XML web services security best practices from Fortune 500 companies include securing the transport layer, implementing XML filtering, validating, transforming, signing and time stamping all messages and implementing secure auditing.
-http://zdnet.com.com/2102-1105_2-5345253.html?tag=printthis

Open Source Vulnerability Database Compiles Vendor Directory to Aid Disclosure (31 August 2004)

The Open Source Vulnerability Database (OSVDB) has published a directory of vendors to help researchers contact the appropriate people when they discover security flaws. OSVDB would like vendors to check the directory to make sure the contact information is accurate.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1003346,0
0.html

-http://www.osvdb.org/vendor_dict.php

MISCELLANEOUS

A week with an open proxy

Researcher Ryan Barnett ran an open proxy for a week and analyzed the traffic. Among other things, he found distributed login and password guessing against yahoo accounts, web server fingerprinting and proxy chaining. The results of the work became a scan of the month for the honeynet project.
-http://www.sans.org/rr/special/http_elephant.php

McAfee AV Signature File Mistakes Legitimate Software for Trojan (7 September 2004)

A September 1st antivirus signature file update from McAfee incorrectly identifies an Australian software developer's Internet setup program wizard as a Trojan horse program. Because McAfee's antivirus software automatically removes the program from machines it scans, people have been unable to connect to their ISPs. McAfee has not yet addressed the problem; it may be late this week before a new signature file is released.
-http://www.theregister.co.uk/2004/09/07/mcafee_false_alarm/

Spyware Could Hinder SP2 Installation (6/2 September 2004)

Microsoft is warning users to scrub their machines of spyware and back up their data before downloading the Windows XP Service Pack 2 update. There are reports that certain spyware programs cause machines to freeze when the update is installed. In addition, PC manufacturers are warning users to install new drivers and patches before downloading SP2. US-CERT has tempered its recommendation that people apply SP2 with warnings to back up data and check with product manufacturers for compatibility issues.
-http://www.cnn.com/2004/TECH/ptech/09/06/windowsupdate.ap/index.html
-http://www.eweek.com/print_article/0,1761,a=134677,00.asp
-http://zdnet.com.com/2102-1104_2-5343593.html?tag=printthis
-http://www.us-cert.gov/cas/alerts/SA04-243A.html

South Korean Airport Network is Vulnerable to Attacks (3 September 2004)

A report from South Korea's National Intelligence Service (NIS) says that Incheon Airport's computer network is vulnerable to infections and attacks because it is shared by airlines and tourist agencies located in the airport. The report found that more than 7,000 viruses were detected in a two-day period at the 116 businesses within the airport. The number of attempts to attack the airport's computer network has increased steadily since 2001. The NIS (has demanded) the airport separate its network from the businesses; airport officials agree, saying they will remove the businesses from their network as soon as possible, but say they face "budget and manpower" shortages.
-http://times.hankooki.com/lpage/200409/kt2004090317214510230.htm

Australian Online Betting Sites Targeted by Protection Schemes (3 September 2004)

Cyber extortionists are targeting Australian online betting sites and demanding money to protect the sites from denial-of-service attacks. One site was ordered to send 20,000 USD to a Latvian bank account. The company at first refused to pay, but the ensuing attack made it impossible to conduct business, so they eventually met the extortionists' demands. Law enforcement agencies worldwide have been investigating the gangs responsible for the attacks. Last July, three men were arrested in Russia in connection with another investigation.
-http://australianit.news.com.au/common/print/0,7208,10651299%5E15306%5E%5Enbv%5E
,00.html

[Editor's Note (Pescatore): Cyber criminals are hitting all kinds of online gambling and porno sites. I'm amazed that ISPs have been so slow to offer in-the-cloud DoS prevention services. If these sites are willing to pay bad buys $20K, paying good guys $1K per month on top of bandwidth charges is a no brainer. ]

Mumbai Police Find No Evidence of Theft at Jolly Facility (31 August 2004)

Police in Mumbai, India dispute the claim by Jolly Technologies president Sandeep Jolly that they have refused to launch an investigation into an alleged theft at the California-based company's Mumbai facility. Instead, say police, Jolly did not file a formal complain and a preliminary inquiry turned up no evidence of a theft. Police say that the Mumbai Jolly facility has no security policy and therefore was not able to provide them with logs necessary for investigating the alleged theft.
-http://www.computerworld.com/printthis/2004/0,4814,95615,00.html

Missing California State University Hard Drive was Probably Thrown Away (3 September 2004)

The disappearance of a hard drive containing the names, addresses and social security numbers of 23,000 students, faculty and staff at California State University campuses has prompted university officials to contact everyone whose information may have been exposed, as required by a new state law. All those affected received letters though there have been no reports of identity theft; a police investigation concluded that the drive in question was probably thrown away by mistake rather than stolen.
-http://www.computerworld.com/printthis/2004/0,4814,95690,00.html

EXTRAS

1. Securing Apache

Ryan Barnett, the researcher that completed the open proxy results posted in NewsBites has written an advanced course on security Apache. We primarily run the course on demand. If you are interested in hosting the course in your city please write stephen@sans.org

2. Encrypted email research project

SANS has recently learned many organizations are unable to send/receive encrypted email to and from Internet customers. PKI solutions have interoperability and usage problems and the key logistics of PGP overwhelms many organizations. Worse, the two solutions do not seem to interoperate well. If your organization has a PKI solution that allows you to interoperate with PGP, please send your PKI X509 certificate in an encrypted email to stephen@sans.org that he can respond to. Note, this may take a couple of tries, in fact so far we have been unsuccessful.

Stephen's key is below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.1
mQGiBD/nceoRBADzaPJ/Jdolp9Sgv69RVuHA94f1l6tSahQx94X9dEnJ3adHZg60
3oRCUUXqZKDsqtnoZp1GqVv7q2QjtD99aL7mGvx9/DkGFS87LBWkRkH4ZweMZIIy
09/8Ni7vitW5BgbG3qsyelRPbGWLPBbFKcoHcWxRUUFG26FxOs8Mkp7YvQCg/6nv
1nk75z+tmrg9xNw8Mk8yGzEEAJhVM4Myhy1q+uusQzu+yZ/atl31FFJesZEWhmrO
a+OLRKKmuDA2OnyZDYRKYOtmawcetGtaIf6Xvfe9Ou2pBdedzkqDZvTmlXkxn5xo
dbXuEJ3rGJKfKWPsbcGkaRx+RgqGdqFAAPHofFb3QpyNmbhoPkyJUe8/yHvopQWO
ieTYA/9sxn7Ga22y8z4IOsDSL57/DzD5xOl0WVc3xisBRAFyH7Mvln0woad/lwLb
A49ZH0f0akhCwwn+1GqKdUdSPaW06A82v4DA9VHb7fibmBB921/dLV4TcEIUeptj
BTLQ66k8Omf+5YMb2wr/P2NVGdLRMRCKr4XpXQm+DLV7O/ZrcbQac3RlcGhlbiA8
c3RlcGhlbkBzYW5zLm9yZz6JAFcEEBECABcFAj/nceoHCwkIBwMCCgIZAQUbAwAA
AAAKCRBvYjGuqIlkkAIQAKC5OWhPVBMLealUcY4vec8HviRmVgCgm3g/n6VitkYb
PHEsfAuW4Aa17W+5Ag0EP+dx6hAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65
Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09
jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brw
v0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiN
jrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrK
lQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/i8eEHce
V9V9jHdBA9j6QJxTpVWVvUkXqGgxX1d6EFhhBldWlFgUrcPragkj5mN56Grrun8m
/j9uOTNbfArK+8Onn28Q2ZPq7xV/cDoq43KQ87IsldPGiZF1DBGgEJNc5r7Jc6Iu
Q8Wwe+nepO9w9ChXE4qCLzur/cnCXKD4Gr+qpHjoApEBi20Dts90auQLLIcw3Gna
NTzw2z7GQy7Mw1udIb+nW15TRVjjxiIvBdkXVRhFuU2v40/F/GehOJa60oipAnTs
HmloVbclmv6smm/OJdB248/Am+njF3BPiZqKYPbTPAa+oNCl4/QNDnzfum9pFrhl
oyQG0lIzBtMz/1yJAEwEGBECAAwFAj/nceoFGwwAAAAACgkQb2IxrqiJZJD4xACf
bdZfDQ5P04Wapq0xSYulUuSeMXgAn3i0ZTqn7f0wO4Wpge76PTwmJXzG
=BnTt
- -----END PGP PUBLIC KEY BLOCK-----

3. OUCH

************************************************************************
OUCH: The Report On Identity Theft and Attacks On Computer Users
Volume 1, No. 9.                  September 8, 2004
************************************************************************
Major threat this month: Phishing attacks that seem to come from Citibank, Paypal, Citizens Bank and US Bank
Phishing attacks have been doubling every month. In a phishing attack, the thieves pretend to be sending you to a reputable site like Citibank and ask for your private data, so they can steal your money or your identity. Recent research reports that one in twenty people are fooled by these types of attacks, which is why the thieves keep at it. One of our goals is to make sure you don't get caught in the scams.
Also this month, graphical spam is increasing. Spammers send you a picture of the offer instead of the text of the offer, so that your company or internet provider's spam blockers are powerless to stop them even if they use very bad language.
The attacks discussed here are the tip of the iceberg.
To be safe:
  - DON'T open email attachments from anyone unless you know the sender and you were expecting the attachment.
  - DON'T click on links in emails or web sites unless you can guarantee the email came from someone who is not trying to fool you and that the web site is actually the site you think it is.
  - DON'T disclose private information unless you initiated the need to do so.
************************
What To Avoid This Month
I. Emails from people trying to get you to divulge private details.
These are often trying to steal your identity (and your money)
  I.1 Maintenance Update (from Citibank)
  I.2 PayPal account limited
  I.3 Citizens Bank Fraud Verification Process
  I.4 Citibank with various subjects and possibly a time stamp
  I.5 Attn: Citibank Update
  I.6 "notice: US Bank"
II. Opening attachments that have interesting subjects and provocative
text in the body of the email. Several viruses (Beagle, MyDoom, Netsky) are still spreading rapidly because they fool you into thinking they come from a friend and have data you want to see. Remember: do not open unexpected attachments without checking with the sender to be sure the attachment is safe. If you break this rule, you will hurt a lot of other people - people you know - because your infected computer will send viruses to people in your address book.
******************************
More Details About The Phishing Attacks
I. Emails from people trying to steal your identity (and your money)
I.1 Maintenance Update (from Citibank)
The bait:
  An email that looks as if it comes from Citibank saying the company "could not verify your current information," and asking you to update it.
What it tries to make you do:
  Click on a link and tell them your credit Card information, social security number, date of birth and mother's maiden name.
Where you can see how it actually appears:
-http://www.antiphishing.org/phishing_archive/09-02-04_Citibank_(Citibank.com_Mai
ntenance_upgrade).html


I.2 PayPal account limited
The bait:
  An email that looks as if it comes from PayPal and says, "We suspect that your PayPal account may have been accessed by an unauthorized third party."
What it tries to make you do:
  Click on a link and tell them your email and your PayPal password.
Where you can see how it actually appears:
-http://www.antiphishing.org/phishing_archive/09-01-04_Paypal_(PayPal_account_Lim
ited).html


I.3 Citizens Bank Fraud Verification Process
The bait:
  An email that looks as if it comes from Citizens Bank saying they suspect your account may have been accessed by an unauthorized third party.
What it tries to make you do:
  Click on a link and tell them your ATM or debit card number and password.
Where you can see how it actually appears:
-http://www.antiphishing.org/phishing_archive/08-31-04_Citizens_Bank_(Citizen_Ban
k_Fraud_Verification_Process).html


I.4. Citibank with various subjects and possibly a time stamp
The bait:
  An email that looks as if it comes from Citibank saying, they are updating their software and asking you to click on what looks like a real Citibank url.
What it tries to make you do:
  Click anywhere on the image (the entire scam is a single image) and then provide a wealth of very private information ranging from your ATM card and PIN to your mother's maiden name.
Where you can see how it actually appears:
-http://www.antiphishing.org/phishing_archive/08-27-04_Citibank_(various_subjects
,_image-only_email).html


I.5. Attn: Citibank Update
The bait:
  "Click here" link in an email that seems to come from Citibank saying that they noticed one or more attempt to log into your account from a foreign IP address.
What it tries to make you do:
  Click on a link and tell them your ATM card number and PIN and username and password.
Where you can see how it actually appears:
-http://www.antiphishing.org/phishing_archive/08-26-04_Citibank_(Attn_Citibank_Up
date).html


I.6 "notice: US Bank"
The bait:
  An email that seems to come from US Bank asking you to login.
What it tries to make you do:
  When you click on the login button, it asks for your ATM Card number and PIN.
Where you can see how it actually appears:
-http://www.antiphishing.org/phishing_archive/08-25-04_US_Bank_(Notice_Us__BANK).
html



==end==

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/

Copyright 2004, The SANS Institute. http://www.sans.org Permission is granted to copy and redistribute this material to whomever it will help.