HOSTS file hijacking and bank password stealing trojans

HOSTS file hijacking and bank password stealing trojans

Summary: HOSTS file hijacking by bank password stealing trojans is one of the more egregious spyware tricks currently being seen. Here's the scenario.

SHARE:
TOPICS: Malware
24

HOSTS file hijacking combined with bank password stealing trojans is one of the more egregious spyware tricks currently being seen. Here's the scenario. A user is infected with a trojan and other malware that, among other things, changes the HOSTS file so that websites commonly used for online banking are redirected to the spyware pusher/thief's site which is made to look nearly identical to the real bank site.  Everyone in the anti-spyware community knows who these ISPs are.

HOSTS file hijacking can be prevented with a number of apps including several anti-spyware programs and utilities including one of my favorites, WinPatrol.

SunbeltBLOG has an excellent write up describing this trick and a video for demonstration. Host file hijacking is not new on the spyware scene and has been used by CoolWebSearch and similar groups to redirect users' browsers to alternative search sites or adware/spyware sites. In many cases the IP address or domain being used to collect users' IDs and passwords is located outside of the US, but in Sunbelt's write up, the IP address is right here in River City and belongs to an ISP headquartered in Dallas, Texas, Layered Technology.

The IP address in question is 216.32.94.147, and the whois information can be seen here and here.

Savvis SAVVIS (NET-216-32-0-0-1)
                                  216.32.0.0 - 216.35.255.255


Layered Technologies, Inc. NET-216-32-64-0 (NET-216-32-64-0-1)
                                  216.32.64.0 - 216.32.95.255

Interestingly enough, a Google search for Layered Technologies, Inc. produces a number of links related to blacklists and spam.

The one domain residing on that IP can be seen at http://www.whois.sc/nikavonejalko.com and was registered with incomplete information to a entity in Russia. Let's hope that Layered Technology acts responsibly and shuts down this site ASAP.

I'm preparing for a huge rant about ISPs in the US of A hosting sites running exploits, foisting spyware of the worst kind on users and in some cases hosting child porn. Everyone in the anti-spyware community knows who these ISPs are.  One of them has been reported to authorities but is still up and still running CWS exploits as I type. I'm prepared to name companies and individuals, so Watch Out!

Update:  This afternoon I checked the website at http:// 216.32.94.147 and it now redirects here:

http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

The fake Bank of America site has been taken down.  I also received an email from a representative of Layered Technologies who seemed to think I accused them of hosting spyware, which I did not.  I can't recall an instance of finding a spyware site hosted there and Layered Technologies was not one of the ISPs I had in mind to rant about. This link mentions one of the ISPs I do have in mind.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • name names

    well - name them!

    you can't scare them yaknow, they don't care...

    if you're worried about lawyers then don't even threaten.
    CWButler
  • Naming names

    Hooray! It's about time these weasels are brought out into the light.
    Brock_z
  • go get the bastards!

    Spread the word!
    pikeman666@...
  • Outing the criminal phishers

    I say, give 'em all the press you can. If it were up to me, we'd still have stockades. I would be assuming, of course, that these people have any sort of remorse left in their psyches. At least they would know that they are outnumbered and their actions are unacceptable. Thanks for having the courage!
    vapetlover
    • yes!

      vapetlover, I'm in favor of bringing back stockades, too, especially for spywae pushers and black hats.
      Suzi_z
  • Take the names local

    Name the names and put them in their local papers where they live...if they live there!
    kevin_kreitz
  • Call 'em out

    As we have proven time and again, speaking the truth cannot be a wrong option. If you have the proof, name the name. The bad guys cannot argue that they were wronged when the truth is staring them in the face. Sure they can trot out the big lawyers. These kind of bad guys usually have deep pockets for the big lawyers. don't be afraid of them when you speak the truth because there is always the ultimate court that they have to face - the court of public opinion. In the end, truth will always win and they will always lose. Telling the truth is not a stupid idea. Or, as we have a saying around here, Good will always triumph as long as evil is stupid. Lying is stupid.
    pj@...
  • naming names = huge risk

    Yes, I'd like Suzi to out these slimeballs but, when she does, she opens the door to libel actions. The first time one of these thieves brings such an action, she's automatically out many thousands of bucks. Much as I'd like to see her name names, I'll be cautious about urging her to open the veil.
    pete@...
  • It sounds like you should start with law enforcement

    If you are aware of ISPs hosting software used in electronic financial thefts or pornography of underage children, I think you have a duty to report that to the ISP, and--if they don't take action-- to law enforcement. The present DoJ would even (probably) take time off from chasing Quakers and four year old kids to investigate child porn. Financial thefts, I don't know.

    If you feel that your obligations as a journalist to tell the story trump your obligations to fight back against crime, then at least name the names publicly.

    It is a big step, either to write the story or to file a complaint. I certainly understand people who are afraid to take on this sort of obligation. But these are the obligations of a free people. We need to stand together and against crime.
    JoelS.
    • already done

      I have reported plenty of domains to abuse departments and rarely received any response. I've reported child porn domains to the proper authorities and yet some are still on the web. I've reported sites hosting spyware to authorities as well and some have been taken down but a lot have not. I've reported false domain name registration info and had a few sites taken down that way. My colleages in the grassroots anti-spyware community have done the same. The problem is so huge, what we've done is not even a drop in the bucket.
      Suzi_z
      • Set a bounty

        The big problem is there isn't a lot of money in shutting down spammers, and it takes a lot of time to get the evidence together to proscecute.
        In the nature of the US wild west, maybe there should be a bounty or a reward for successful shutdown or prosecution of a spammer.
        Learn from history, as these sorts of methods were successful in applying a law and order where the authorities had little effective reach.
        Make it worth peoples time to track them down.
        chromeronin
        • Set a bounty

          Great idea! Legally complicated though ... probably best to have a central place to report to, which would then investigate.
          dhopp@...
  • The Truth Sets You Free

    If Suzi really knows who the criminals are, and can show proof of same, liability isn't an issue. I must wonder, after reading her article, how much of what she "knows" is guesswork and how much is fact. If it is fact, then it should be made public, and it is her duty to do so. The criminal activity being discussed costs legitimate businesses and private persons $Millions each year, but no-one so far has bothered to make us, the computing public, aware of who the crooks are. To Suzi, I say, put up or shut up!
    ottocr@...
  • you gotta be kidding me

    your investigative journalism is worth nothing better than a laugh...

    Lets get this older woman an award for advancing in technology. </sarcasm>

    Seriously, did you even bother emailing abuse@isp.com before writing this crap? If you wanna be a real internet crime vigilante how about alerting an ISP about abuse to really get it shut down instead of blogging about it hoping someone with some authority will read the garbage.
    GtiGuy
    • yes

      Read my reply to JoelS. Your sarcasm is unbecoming. ;-)
      Suzi_z
    • Keep it up

      I can't understand why someone who goes out of their way to do
      the right thing gets lambasted for not doing the right thing. Did
      you read the story? She has limited reach and legal resources. She
      can't demand a site be taken down because it's beyond the scope
      of her power to make it happen. She is doing what she can,
      finding and reporting the scum, which is a heck of a lot more
      beneficial and worthwhile than what any negative armchair critic
      has to say.
      Chiatzu
    • This was an excellent blog

      This is a very important topic. Suzi is doing a service for you and everyone else by bringing this security issue to your attention. I don't know why you would trash her for doing her job.
      george_ou
  • public info

    Anything I would post is public information and available on the web already. It's only a matter of presentation of what's already documented.
    Suzi_z
  • Documentation is key.

    Say nothing you cannot prove. Say all that you can. Keep careful
    records. And ask ANYone.. from Gates to unknown.. for support.
    Yahoo, Google, AOL and ALL ONLINE BUSINESSES aught to be on
    your side! Amazon, E-bay, mighty Comcast and mightier Ziff-
    Davis... Hell , try the Playboy Foundation (no I am NOT kidding).
    Some will see the benifits to their own interrests.
    s_gamgee
  • HOSTS Manager

    Bluetack Internet Security Solutions has had a hosts manager software for some time now. It has the ability to download lists, add and remove URLs, back up host files and easily make the file read only.

    see: http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=10
    ThLY_LVN@...