Content

Exploit-URLSpoof

Type
Trojan
SubType
Exploit
Discovery Date
12/16/2003
Length
Varies
Minimum DAT
4311 (12/24/2003)
Updated DAT
4711 (03/06/2006)
Minimum Engine
5.1.00
Description Added
12/24/2003
Description Modified
01/29/2006 8:29 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update Feb 02, 2004 --
 Microsoft has released a patch for the vulnerability exploited by this threat. For more information visit:

This detection covers HTML documents (such as web pages and HTML formatted email messages) that contain malformed hyperlinks, which exploit an Internet Explorer vulnerability.  Such exploits result in Internet Explorer displaying one location in the Address bar, but actually loading the content from a different site.  Such URL spoofing can result in attackers creating forged versions of legitimate sites in order to steal account information, personal information, etc.

Email spam is the most likely delivery method of such malicious hyperlinks, to lure users into updating account information.

On January 10, 2004 a mass-spamming by someone phishing for Citibank account information.  That message appeared as follows:

Dear Citibank Account Holder,On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities. Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct. Citibank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.

Other phishing attempts have targeted eBay, eGold, Paypal, online banking sites, and porno sites.

Users should be leery of email messages asking users to click a hyperlink to update account information.  It's best to navigate to the site in question by typing the main web address into your web browser, and manually navigating to the account details page.

Symptoms

There are no obvious symptoms of this exploit.  Files detected as Exploit-URLSpoof are benign themselves.  No system changes or damage occurs from accessing an Expliot-URLSpoof file.  However, following an exploited hyperlink within a detected file can result in users being tricked to divulge personal information, install malicious software, etc.

Method of Infection

The Exploit-URLSpoof trojan is being seen in large rounds of email spam.  This is part of various phishing scams, enticing users to navigate to seemingly authentic websites to steal account and personal information.  Email messages may be received that appear to be from authentic sources, which inform users that they need to click a hyperlink in the email message in order to update account information, such as username/password, credit card numbers, social security number, mother's maiden name, etc.  The URL included in the message may appear to be legitimate, but is actually specially crafted to trick Internet Explorer into displaying one web site, but loading the content from a completely different site.  This allows for the spam artist, to forge other login web pages and have the unsuspecting user hand over their personal information.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Exploit-URLSpoof-b
  • Exploit-URLSpoof.gen
  • HTML_CITIFRAUD.A (Trend - Citibank msg)
  • HTML_SWENFRAUD.A (Trend)

Characteristics

Characteristics -

-- Update Feb 02, 2004 --
 Microsoft has released a patch for the vulnerability exploited by this threat. For more information visit:

This detection covers HTML documents (such as web pages and HTML formatted email messages) that contain malformed hyperlinks, which exploit an Internet Explorer vulnerability.  Such exploits result in Internet Explorer displaying one location in the Address bar, but actually loading the content from a different site.  Such URL spoofing can result in attackers creating forged versions of legitimate sites in order to steal account information, personal information, etc.

Email spam is the most likely delivery method of such malicious hyperlinks, to lure users into updating account information.

On January 10, 2004 a mass-spamming by someone phishing for Citibank account information.  That message appeared as follows:

Dear Citibank Account Holder,On January 10th 2004 Citibank had to block some accounts in our system connected with money laundering, credit card fraud, terrorism and check fraud activity. The information in regards to those accounts has been passed to our correspondent banks, local, federal and international authorities. Due to our extensive database operations some accounts may have been changed. We are asking our customers to check their checking and savings accounts if they are active or if their current balance is correct. Citibank notifies all it's customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below.

Other phishing attempts have targeted eBay, eGold, Paypal, online banking sites, and porno sites.

Users should be leery of email messages asking users to click a hyperlink to update account information.  It's best to navigate to the site in question by typing the main web address into your web browser, and manually navigating to the account details page.

Symptoms

Symptoms -

There are no obvious symptoms of this exploit.  Files detected as Exploit-URLSpoof are benign themselves.  No system changes or damage occurs from accessing an Expliot-URLSpoof file.  However, following an exploited hyperlink within a detected file can result in users being tricked to divulge personal information, install malicious software, etc.

Method of Infection

Method of Infection -

The Exploit-URLSpoof trojan is being seen in large rounds of email spam.  This is part of various phishing scams, enticing users to navigate to seemingly authentic websites to steal account and personal information.  Email messages may be received that appear to be from authentic sources, which inform users that they need to click a hyperlink in the email message in order to update account information, such as username/password, credit card numbers, social security number, mother's maiden name, etc.  The URL included in the message may appear to be legitimate, but is actually specially crafted to trick Internet Explorer into displaying one web site, but loading the content from a completely different site.  This allows for the spam artist, to forge other login web pages and have the unsuspecting user hand over their personal information.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A