Phishers Bite Back with Malware Exploits Linked to Keywords

August 26, 2008 – 6:11 AM

Criticize the people behind the Asprox botnet, and they take it personal—so much so that they will bombard you with malware, according to a report by SecureWorks.

The botnet, now at least 50,000-strong with bots, is sending out phishing e-mails posing as messages from banks in the United States and United Kingdom. The links inside the e-mail lead to a page with a phishing form that reacts to both incomplete forms and forms containing certain keywords, including profanity or the word “phish.” If users who filled out the form improperly click on the “confirm” button, their computers are assaulted with malware in retaliation.

Interestingly, the botnet does not seem to infect people merely for clicking on the link in the e-mail, and if the form appears to be filled out with legitimate log-in data, the victim is redirected to the main page of their banking Web site, according to SecureWorks.

Those who fill it out with illegitimate data, however, are hit with a number of exploits targeting vulnerabilities in Microsoft Windows.

“It’s kind of a self-completing cycle,” said Joe Stewart, director of malware research at SecureWorks. “When you hit that phish page, you’re visiting somebody else who got infected before you. So you’re looking at their infected computer … [and] if you do the wrong thing, you get to be part of the botnet too.”

Stewart admitted he did not know if there are other phishing pages with exploits triggered by keywords, but said this is the first he has heard of it.

It is certainly a new activity for Asprox, which made headlines earlier this year for installing a SQL injection attack tool on infected bots to attack Web sites. The attack is just another reason to be wary of links in e-mail.

“Nowadays it’s not really safe to click on anything [in e-mails,” Stewart said. “You don’t really know whose site got compromised.”

Source:
http://www.eweek.com/c/a/Security/Phishers-Bite-Back-With-Malware-Exploits/

You must be logged in to post a comment.