FBI investigates password-stealing scam

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2549381.html?tag=st.ne.1002.thed.ni

By Joe Wilcox
Staff Writer, CNET News.com
August 17, 2000, 3:50 p.m. PT

The FBI is looking into an Internet password-stealing scam that may
have forwarded stolen online banking codes to free email accounts run
by U.S. companies, according to security experts involved in the
investigation.

A new variant of the infamous "I Love You" virus struck banks in
Europe and the United States yesterday, potentially exposing some
online-banking customers' accounts.

For now, the variant, "VBS/LoveLetter.bd," is only a threat to United
Bank of Switzerland (UBS) customers, although the virus's existence
could result in copycat versions attacking other financial
institutions. That could pose a serious threat not only to banks but
to consumers as well, according to security experts.

The variant of the I Love You virus, also known as the "Love Letter"
or "Love" bug, affects people using Microsoft's Outlook email client.
Like the original virus, it sends copies of itself to all of the
addressees in a victim's email address book. In addition, the bug
downloads a password-stealing program, "hcheck.exe," that lifts USB
PIN numbers and sends them to three email addresses:
ct102356 () excite com, acch01 () netscape net and deroha () mailcity com.

National Infrastructure Protection Center (NIPC) spokeswoman Debbie
Weirerman confirmed the FBI is investigating where the virus sent the
PIN numbers.

Network Associates' Antivirus Emergency Response Team (AVERT) also
said it is working with the FBI. Sal Viveros, an AVERT director, said
the three email addresses connected with the password threats have
been shut down. But he said investigators are still searching for one
or more Web servers that may also have been used to receive the stolen
passwords.

"We believe the email addresses have been shut down, and we're
awaiting to hear word the servers have been shut down," he said.

Network Associates, as well as Symantec and other antivirus-software
makers, had rated the virus only a medium threat because it targeted a
single financial institution. Network Associates plans to downgrade
the threat to low after the FBI shuts down the Web server used in the
attack.

The virus appears to have first affected UBS's European operations;
Network Associates acknowledged 15 attacks, mostly in Germany. In a
release today, the bank said that only "a small proportion of UBS
e-banking customers are at risk," and "there are no reports of damage
as of yet."

The threat was greatest to customers using UBS's online-banking
software. "The virus attempts to steal scratch list numbers from the
UBS PIN module," the bank warned in its release. The bank recommended
that customers opening the Love variant block their "e-banking
authorization immediately by entering an incorrect password three
times."

The original Love virus struck in May, crippling email systems
worldwide, stealing passwords, and overwriting picture files essential
to some publishers and Web sites.

NIPC, which is charged with protecting the security of the nation's
computing infrastructure, has been issuing warning updates on the new
variant throughout the day. Law-enforcement officials are taking the
virus seriously, as it attacks financial institutions and steals
passwords.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".