Driveby installer targets Australian bank customers

Customers are advised not to fall for the latest attempt by scammers to silently install malware on their computers. The message bears some of the typical hallmarks of fraudulent email including poor spelling and a link where the referenced site is different from the one quoted on the page.

Clicking on the link loads a page displaying a fake 500 Internal server error page, hosted on what appears to be a hacked Korean website. The fake 500 error page contains a link in a hidden iframe that contains encrypted javascript. The encrypted javascript dynamically writes 4 more iframes all of which have a width and height set to 0. Each of the 4 embedded iframes also contains encrypted javascript that will attempt to dynamically write different types of exploit code allowing the authors to silently install malware.

The message text appears below.

Subject: AntiFraud.com warns.

Dear online-banking user!

Please note that from May the 14th the online-banking service in Australia will be suspended due to a vigorous hacker attack on the websites of the most popular Australian banks (National, Common, Bendigo, BOQ etc.).

Please be extremely carefull with your credit cards and accounts.

To get more information on the situation of the online-banking service of your bank please follow the link below:

http://www.antifraud.com

Best regards, AntiFraud.com

Posted on May 14th, 2007 by Neil, SophosLabs AU
Filed under: Malware, Spam

Free virus scan - Download the Sophos Threat Detection Test

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog