Sign In
Register
Help
Quote
January 20, 2012, 1:54PM
Phishers Bait City Workers in Seattle With Phony Speeding Tickets
by Brian Donohue
According to the Microsoft Malware Protection Center and the Seattle Police Department, hundreds of individuals with Seattle.gov e-mail addresses began receiving the fraudulent parking ticket announcements on Thursday. The messages have the subject "Seattle Traffic Ticket" and claim the recipient committed one of a number of violations, including speeding.
Clicking a hyperlink in the e-mail message loads an iframe that redirects users to a Ukrainian IP address. According to TechNet, the site contains an obfuscated Javascript that exploits bug in the Microsoft Data Access Components (MDAC) that was patched in 2006.
If successful, the exploit will download an executable from a .ru domain. Windows is detecting the file as Worm:Won32/Cridex.B. The malware then attempts to connect via SSL to "jahramainso[dot]com." The malware can also update itself by communicating with its command and control server. The host appears to be deploying the same file at present that was detected in the initial infection, but the authors may try to evade detection by altering the host with which it communicates.
According to a blog post from the Seattle Police department, the email reads as follows: ……………
Phishers Bait City Workers in Seattle With Phony Speeding Tickets
by Brian Donohue
According to the Microsoft Malware Protection Center and the Seattle Police Department, hundreds of individuals with Seattle.gov e-mail addresses began receiving the fraudulent parking ticket announcements on Thursday. The messages have the subject "Seattle Traffic Ticket" and claim the recipient committed one of a number of violations, including speeding.
Clicking a hyperlink in the e-mail message loads an iframe that redirects users to a Ukrainian IP address. According to TechNet, the site contains an obfuscated Javascript that exploits bug in the Microsoft Data Access Components (MDAC) that was patched in 2006.
If successful, the exploit will download an executable from a .ru domain. Windows is detecting the file as Worm:Won32/Cridex.B. The malware then attempts to connect via SSL to "jahramainso[dot]com." The malware can also update itself by communicating with its command and control server. The host appears to be deploying the same file at present that was detected in the initial infection, but the authors may try to evade detection by altering the host with which it communicates.
According to a blog post from the Seattle Police department, the email reads as follows: ……………
View here: https://threatpost.c...-tickets-012012
MultiQuote