Australian security experts said in an advisory the vulnerability allowed the remote execution of arbitrary code on a local computer by a malicious Web site.
The perpetrators of the exploit lure unsuspecting Australian users to the malicious Web site by widely distributing spam e-mails -- purporting to be from one of the Big Four local banks -- containing what appears to be a legitimate link to the bank's Internet banking site. The IE vulnerability, however, has allowed the fraudsters to spoof the URL of the bank's legitimate Web site by manipulating the information displayed in the status bar using an embedded form. The "From:" field of the e-mails include what is likely to be a valid e-mail address for the bank they purport to be from. Those who click on the link are directed to a Web site, however, which automatically executes a malicious key logger program on their computer. The user is then automatically directed to the bank's real Internet banking Web site. The program then captures log-in details when the user logs in to the real site and sends those back to the fraudsters via an e-mail sent via an anonymous mail server based in Russia.
AusCERT senior security analyst Jamie Gillespie said the use of URL obfuscation and exploit to install a program went beyond previous phishing scam moves to fool users into entering data into a fake Web site.
"[These exploits allow the perpetrators to] capture details when the user enters a true Web banking site," he said.
The body copy of the malicious e-mail reads as following:
We are informing you that today, the amount of $XXX AUD has been drawn out of your account.
Technical assistance of YYY Bank.
AusCERT said initially in its advisory that it was unaware of any patch being released by Microsoft to deal with the IE vulnerability. Microsoft Australia, however, late in the day released a statement saying it had identified the vulnerability in December last year and released a patch. Gillespie nonetheless warned that AusCERT believed that a large number of home users may not be patched and would still be vulnerable.