On Wed, 4 Oct 2006, Rick Glazier wrote:
Time for the new zeroday (MS) exploit of the week...
http://www.microsoft.com/technet/security/advisory/926043.mspx
BTW InfoCon was on Yellow (again) this weekend because of this
exploit.
BTW2 here is a report regarding the VML exploit and the
interesting thing the nefarious critters did with the money
obtained using exploited info:
---------------------------------
http://isc.sans.org/diary.php?date=2006-09-29
A Report from the Field
Published: 2006-09-29,
Last Updated: 2006-09-29 21:46:52 UTC by Kevin Liston
Kevin Shea wrote in to report:
"Yesterday morning (9/27) when dropping off my son at school, I
told his first grade teacher about the VML exploits and patch
availability. She said she had computers at home and would call
her husband to make sure they were patched.
When my signifigant-other picked him up around 5:30, the
teachers were all talking about how her husband checked and
found out they were infected with one of the trojans. Their
bank accounts had been drained, by electronic withdrawals and
money transfers. Since it had occurred the day before, the bank
(unknown) was able to reverse the transfers and replace the
money in their accounts. They won't even bounce a check."
After receiving the report, I had a few questions and I
received a prompt follow-up. What the thieves did with the
money was interesting. Most of the funds were transferred out
using one of those services where you can wire cash to people.
I'm not sure if these were wired to other accounts using the
intermediary, [or if] people actually walked up to a counter to
retrieve the funds. They also used funds in this account to
purchase background checks at certain
people-search/information-broker companies. Most likely this
is an attempt to gather further identities in a way that won't
tip-off the broker.
---------------------------------
--
----------------------------------------
The WIN-HOME mailing list is powered by L-Soft's renowned
LISTSERV(R) list management software. For more information, go to:
http://www.lsoft.com/LISTSERV-powered.html
