contadores de paginas web Saltar al contenido

Fake postcard as hook to infect the computer and router

pagina-gusanito-falsa

Phishing of Gusanito postcards is one of the classic ones when it comes to stealing passwords, the victims receive a supposed postcard by mail and to see it they must enter it in a false page that pretends to be that of Hotmail, Gmail, etc.

Some more elaborate attacks they are not limited to fake email and incorporate a fake page which seems to be the one of Gusanito, a few weeks ago I commented on a case that was trying to spread a Trojan camouflaged in a supposed update of Flash Player.

The following is another example detected by the UNAM-CERT team in Mexico, it all starts with a fake postcard sent by mail that leads victims to a fraudulent page:

False page loads Java application

There automatically runs a malicious java application which modifies the Windows hosts file to redirect to fake pages of the most popular banks. What about this? if a victim tries to access their bank as they always do, they are actually loading a fake page and the URL to see in the address will be the bank's!

These types of attacks are very common and are called local pharming.

But this is not all, Gusanito's fake page also executes a script that exploits a known vulnerability of Telmex 2wire routers to carry out the same pharming attack, this way if the victim is not infected locally with Java, it could be affected from the router and what is worse, all the computers in their home will be loading false pages.

On the UNAM-CERT blog you can find a detailed analysis of the attack and more captures.

How to avoid these attacks?

Having updated Java is essential, a computer with a vulnerable version of Java can be infected simply by visiting a specially designed page, even Linux and Mac computers can be victims of these attacks.

So more than once I recommended not to have the plugin installed if you are not aware of available updates.

In the case of router, there are several things that can be done such as not using the default passwords, having the WiFi network protected with WPA / WPA2 password, restricting access through a firewall, blocking remote administration so that its configuration can only be done from a secure computer and of course, verify that the firmware is the latest available from the manufacturer.