Web attack aims to steal surfers' financial details

IDG News Service - A new Internet attack discovered late yesterday was designed by an infamous group of Russian virus writers to steal credit card and other financial information from Web surfers and send it to Web sites where it can be retrieved by the hackers, security experts warned today.
Mikko Hypponen, director of antivirus research at Helsinki antivirus company F-Secure Corp., said his team had stayed up all night examining details of the new threat and have connected it with a known Russian virus-writing group called Korgo.
According to Hypponen, the group has hacked into Web servers of some major Internet service providers that host "huge" Web sites, such as an online auction site and banking sites, to append malicious code to their pages. This code, which security researchers are calling "Scob," connects a user's PC to Web addresses run by the hackers from which they can silently download and install a Trojan horse. The code then uses a keystroke logger to collect Web surfers' passwords, log-ins, PayPal payment data and other sensitive information, Hypponen said. The information is then sent to Web sites where the hackers can retrieve them.
"It just boggles the mind when you see the amount of information available on these sites -- credit card numbers, banking information -- and it's available to anyone who knows the Web sites," Hypponen said.
He added, however, that the Web addresses where the information is being stored aren't obvious and that potential hackers would have to reverse-engineer the code to find them.
Law authorities, who were already investigating the Korgo group, have an open investigation into the case and are working on shutting down the sites, Hypponen said.
Graham Cluley, senior technology consultant at security firm Sophos PLC, said his team has also connected the threat to the Korgo group. However, he said the team hasn't been able to get through to the Web addresses that download the Trojan horse.
"So far, it doesn't cause much harm, but the hackers could choose to redirect users to other addresses that work," he said.
Cluley also warned that the hackers could choose to change the Trojan horse, enabling it to launch a spam or denial-of-service attack. "The world is really their oyster," he said.
Security experts have said that the attack affects only users of certain versions of Microsoft Corp.'s Internet Explorer browser.
Additionally, Cluley said it appears that the threat affects only Web servers running Microsoft Internet Information Services 5 Web Server software and not Microsoft IIS 6, which comes with Windows 2003