l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Jun 30 13:45

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Yet another reason to avoid Internet Explorer
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Yet another reason to avoid Internet Explorer

New scam targets bank customers

  The victim of the attack found that a file called "img1big.gif" had
  been loaded onto their machine. Because of the account restrictions on
  the person running the machine, it had failed to install properly,
  which was why it had come to their attention.

  The second half of the file consists of a Win32 DLL that is
  installed by the file dropper under WindowsXP as a randomly named .dll
  file under C:\WINDOWS\System32\. This DLL is installed as a "Browser
  Helper Object" (BHO) under Internet Explorer.

  A "Browser Helper Object" is a DLL that allows developers to customize
  and control Internet Explorer. When IE 4.x and higher starts, it reads
  the registry to locate installed BHO's and then loads them into the
  memory space for IE. Created BHO's then have access to all the events
  and properties of that browsing session.

Here comes the important part:

  This particular BHO watches for HTTPS (secure) access to URLs of
  several dozen banking and financial sites in multiple countries.

  When an outbound HTTPS connection is made to such a URL, the BHO
  then grabs any outbound POST/GET data from within IE before it is
  encrypted by SSL. When it captures data, it creates an outbound HTTP
  connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the
  captured data to the script found at that location.

So there you have it.  IE simply hands off your banking info to this wacky
'BHO' DLL, which then passes it off to the Bad Guys.

Nice. :^P

In related news, Firefox 0.9.1 was recently released:


vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!