Researchers from Sophos have traced the route of a phishing attack that targeted Australian banking customers -- the fraudsters used numerous compromised servers in Korea, the US and Malaysia.
According to Sophos, the campaign kicked off when an attacker posing as a security company called "antifraud" e-mailed Australian account holders to warn them that their online banking services were to be suspended.
"Please note that from May the 14th the online-banking service in Australia will be suspended due to a vigorous hacker attack on the Web sites of the most popular Australian banks (National, Common, Bendigo, BOQ etc.)," the e-mail said.
The e-mail asked users to click on a link for more information.
If the user did click, Sophos said the victim was sent to a hacked Korean server. This computer served up a fake "500 internal server error" page -- which was actually a real page containing an invisible iFrame command.
The malware requested the Background Intelligent Updating Service (BITS) -- a program used to download updates in versions of Windows (from XP2 on) -- to load and launch a second malware program -- this time from a hacked server in the US.
Sophos said the hacked American server then made a nifty side-step, re-directing the download request to one of two other sites, one of which was yet another hacked server in Korea -- back where our journey began.
It's here that, finally, the attacker goes for the gullet -- by attempting to deliver the user a program called Troj/Goldun-FS, which contained code capable of bypassing many of the firewall solutions available from AV vendors.
Paul Ducklin, head of technology at Sophos Asia Pacific, said the twists and turns of the scam provide "an interesting insight into modern cybercrime."
keyboard shortcuts: V vote up article J next comment K previous comment