[LINK] SMH: A Cluster of Separate Scams

Chirgwin, Richard Richard.Chirgwin at informa.com.au
Wed Apr 7 10:38:15 EST 2004 

Roger:
> 
> [This article opens up a lot more questions than it answers ...]

Ask them! :-)

> 
> 
> Spam scam taps into bank accounts
> The Sydney Morning Herald
> Date: April 7 2004
> By Sue Lowe
> http://www.smh.com.au/text/articles/2004/04/06/1081222468498.html
> 
> Internet bankers are being urged to check their account balances 
> after a spate of scams and one of the first reports of a 
> virus-infected computer being used to raid an account.
> 
> Almost $10,000 was stolen from a small Sydney firm's account using 
> password details believed to have been extracted from an infected 
> home computer.

"Believed to be". OK: keystroke logging is feasible; but this disagrees with
another datum:

>   The ANZ bank was able to quickly track the thief as the funds were 
> transferred to another ANZ account

So - the person who wrote the virus (eg keystroke logger) had the virus send
keystrokes back AND happened to have an ANZ account. Antennae are
twitching...

>, but the money is still to be 
> recovered. 

"Recovery" should not delay a return of funds to the victim. The bank
indemnifies; it does not tell the user "wait until we get the money back."
So: is the bank being unreasonable, or does it doubt the facts it's been
given?

> An ANZ spokeswoman, Kate Gore, said the matter was now in 
> the hands of the Federal Police.
> 
>   Mr McCrindle later found that a home computer was infected with two 
> viruses, spybot.worm and bkdr.irc.flood, both of which leave the 
> computer vulnerable to malicious access.

My understanding [open to correction] of spybot is that you would have to be
the virus author to give it "send the keylog to X"-type instructions. I
can't find details about bkdr.irc.flood but will presume someone else can
help!

[snips phishing description]

> If users access their account at that point the password details 
> would be copied and forwarded by email to a site in Russia.

This this non-sequitur to the attack which opened the report. In one, the
visitor is duped into giving password information to the wrong site; in the
opening of the story, we were talking about a trojan/keylogger attack.

Also - the Russian criminals have remotely opened an ANZ account to accept
transfers? Hmmm.

Richard C

More information about the Link mailing list