Zyra TV //// Rogues Gallery //// Zyra's website //// Australia //// Site Index

Help about

TERRAKT IN AUSTRALIA!
And Insurgents in Russia!, Bogus job offers in the UK, and order confirmations for the gerlsbig.com domain!


If you have received messages which say "TERRAKT IN AUSTRALIA" and visited the site in question you'd be well-advised to get your computer checked for trojans/viruses. The spam email was sent to tempt people into linking to a rogue website which had active scripts on it. Because of the rubbish security of Microsoft, many computers have been infected. See helpful antivirus software here.

----- Original Message -----
From: Quited B. Proportionate
To: Spam-trap address
Sent: Sunday, March 28, 2004 11:40 AM
Subject: TERRAKT IN AUSTRALIA!
X-RAV-AntiVirus: This message has been scanned for viruses on delphi.com


TERRAKT IN AUSTRALIA!
URGENT!
Unanswered questions? Look at our site!


What's amazing about this is how pathetically poor the security is that allows active scripts to just run and install executables unchecked! As per the ActiveX problem. This is all absurd, and you shouldn't have to browse in fear! Even if websites are suspicious-looking, you should be able to look at them safely.

Anyway, what does "TERRAKT IN AUSTRALIA" mean? And what are these "unanswered questions"? For a start, "Terrakt" is probably a Russian word meaning "Terrorist Attack". Regarding "unanswered questions", this is quite clever and subtle, and you can find the answers to the unanswered questions the easy way here safely or if your computer becomes infected you can find out the hard way. Yes, there is a terrorist attack going on in Australia, and the spam message "Terrakt in Australia" is part of it! Terrorists, if they're religious enough, are known for hijacking aeroplanes and bashing them into the buildings of financial institutions and government establishments. What the writers of the spam message are doing has some cyberspace similarities to that. What happens is, if you visit their site (don't), they try to hijack your computer and then crash it into financial companies' online businesses.

Here's a few of the companies listed in the file HookerDll.dll which the rogue site downloaded:

e-gold Account Access
HSBC Internet banking
online@hsbc
Welcome to National Internet Banking
St.George Internet Banking Logon Page
Business Banking Online Login Page
directshares
MasterCard Connections Online - Welcome
St George Treasury: Client Logon
ANZ Internet Banking
SAAM Login
ANZ E*TRADE
FX Online Sphinx Login Page
https://www.tradeportal.proponix.com
BankSA Internet Banking Logon Page
Westpac Internet - Sign In
Westpac Internet Banking
NetBank - Logon
Commonwealth Securities Limited
Managed Funds and Superannuation Online - Login
Citibank Australia
Banesnet Particulares
Acceso a Banca por Internet
Wachovia Online Business Banking
Online Services - Account Login
Ventura County Business Bank Online Banking
PNC Bank - Account Link for Business
Fleet HomeLink Online Banking and Investing
e-Bullion: Account Login
:: WMcards.com :: Customer Support
moneybookers.com - and money moves
SunTrust Online Banking
Washington Mutual - Log On
Discover Card: Account Center Log In
OrbitPay.net - The Payment Processor Of Choice!
Banco Popular - Internet Banking
Nationwide Building Society - On-line banking
E*TRADE Log On
Accueil Bred.fr > Espace Bred.fr
Credit Lyonnais interactif
CyberMUT
Banque en ligne
Tous les produits et services
Banque Populaire
Home Page Banca Intesa
Collegamento a Scrigno
Barclaycard Merchant Services
American Express UK - Personal Finance
Merchant Administration
Wells Fargo - Small Business Home Page
Commercial Electronic Office Sign On
VeriSign Personal Trust Service
VeriSign Partner Manager
SUNCORP METWAY
iKobo Money Transfer
Welcome to Citi

Of course there's no certainty about any of this, but it could be assumed that the people involved would like to target these places. I don't know why these places are targeted, but maybe someone can explain. (Another theory is that these banknames are detected by the trojan if they appear in your browser, so the program can spy on your bank password and send it to criminals). This type of nonsense is known as phishing, and it's a form of identity theft which relies on assuming the person to be a muggins.

The APPLET on the rogues website exploits weak points in the Microsoft Windows operating system. In the same sort of way that some houses have the key under a flower pot, a note on the door that says "We're out. Back in three hours", and a cat hole so big that a person can squeeze through, Microsoft systems are generally riddled with holes. Within seconds of a Microsoft system visiting the viral website it gets a file automatically installed called "1.exe" in its C:/windows directory, a file called HookerDll.dll , another called msxmidi.exe (again in /windows), and a carefully camouflaged file called window.exe in the directory /windows/system/ , and most of the cookies deleted. If you run Windows and you've visited the problem website, check your system to see if it's got 1.exe or any of the other files. If it has, don't worry. Just get it fixed! (antivirus software).

Meanwhile, anti-virus measures, (advice), is being updated to include the "active Scripts" problem.

Other info: A more techie explanation in-depth about the Trojan attack can be seen at Code Fish Spam Watch :: No phishing allowed! http://spamwatch.codefish.net.au/

This kind of thing, known as PHISHING, is well explained in a helpful newsletter by 2nd to Nunn Computers. Apparently, the hoaxes are not actually trying to break into the bank itself, but are trying to PHISH your details, bank username and password, so they can steal from your bank account. Don't let them get away with it! See the article: PHISHING

Thanks to Glyn of 2nd to Nunn Computers for sending the warning message in. Previously I'd just assumed "Terrakt in Australia" was just another stupid spam message like many others received here.

Also see the Rogues Gallery of Suspicious e-mails, various Bank Hoaxes, and messages pretending to be from Microsoft (note: Microsoft are guilty of many things, but not guilty of sending such spam messages!).

As regards who is doing the attacks, as the damage here is minimal I've no reason to trace them up and pursue them to the ends of the earth, but current estimates suggest they are a group of disenchanted Russians stranded in Australia and driven to distraction by the heat, worried they might have been turned mad on account of seeing apparitions of seemingly unearthly wildlife, and being unable to get "a licence" in recognition of their obvious talents as computer programmers, they've decided to take it out on the banks and the system!

More news: The dangerous virus-infecting spam e-mails come in many disguises. Here's an example:

----- Original Message -----
From: Sleek J. Sulfates
To: Spam Address
Sent: Friday, April 02, 2004 6:37 AM
Subject: What are the washing instructions?

Hello, what's a nice girl like you doing in...?
Current new job opportunities: Home manager
Honest workers only!
A lot of time to spare with only a part-time job?
Are your studies impacting your work time?
Luck is your middle name!
We are looking for honest and communicative people!!
Working for us will require only limited time a day.
The company wants people who live in Australia.
Vacancies are limited, so act now and accept this hot job opportunity.
SEIZE THE DAY AND APPLY FOR THIS JOB TODAY!
help://aic###ld.info
Our site can give you even more information, check it out.
Any more questions?

Notice anything suspicious about this? No! That's precisely the point. It just looks like an reasonably average spam message, yet it points to the same dangerous link as the "TERRAKT" message. Therefore, in effect, you can't trust the links on ANY spam message. So, although originally spam was merely a nuisance and some of it was genuine commercial e-mail, it's now a potential threat. So, as all spam is now a risk, it's time to eliminate it. One way to do this is the principle of "Never Buy From Spam" , never follow links from spam, and never be lured into believing it's safe!

Upgrading to a decent operating system would also help!

Surprisingly this kind of thing is still going on, months later. Wouldn't you think the banks would have been able to suss out that bank hoaxes were easy to defeat by having a script at the bank computer to check users logging in the see if their computers are infected? I've tried to tell them.

Anyway, here's another example of the same kind of thing as before. This time it's Insurgents in Russia!: 

----- Original Message -----
From:
Defector T. Swordsmen
To:
Circular Newsletter Subscription Address
Sent: Saturday, October 02, 2004 4:06 AM
Subject: Insurgents in Russia!

Insurgents in Russia!

 


Check up our site for the further information
Click here (once) http://berta###os.com

And then, here's another kind of bogus message. This message, which is designed to frighten you into thinking you've gone and bought a domain and hosting from someone and your credit card has been billed for it, is again entirely a ruse to get you to click on the link which does not go to where it claims, but to a variety of other places! Remember: You DID NOT buy that domain, so you don't need to check up on it. It's entirely bogus! It's got to be either a phishing attack or at the very least a spam scam to get you to follow a link to something entirely spurious. This kind of thing, as shown in "spam senders make it easy for us" is aimed at the low intelligence bracket of customers. Simply, if you have been fooled into opening a message or visiting a site on false pretences, you should have enough commonsense to know it's a fraud. If the subject line doesn't match the content, it's up to no good!

----- Original Message -----
From: Emirs H. Undeniably
To: Rogues Gallery
Sent: Saturday, October 02, 2004 8:18 AM
Subject: Rogues, Order
Thank You, The jobmartes.com Team
<http://antm##t.com or http://tr##bisto.com/ >

ORDER SUMMARY
-------------
ID - 23534563
password - Wf2dvRE
Web Hosting............. $49.85
Setup................... $50.00

Domain Registration..... $20.00
Sales Date.............. 03/10/2004
Domain.................. gerlsbig.com

Total Price............. $119.85
Card Type............... Visa

And another point: Several copies of this message have been received here, to various different entirely inappropriate e-mail addresses which were harvested from the website. The username and password are identical in all of the messages!

Also note that the senders have tried to fake-up your name in the "To" field. They've tried to make it up by assuming that your e-mail address had your name in it. It doesn't work here because the e-mails are things like rogues@ and other such generics. You can implement such a security measure by choosing your email addresses and fooling the assumers.

Summary:

1. Read "PHISHING" by 2nd to Nunn

2. If you think your computer may have been infected, get some anti-spyware software and possibly some antivirus software

3. Be aware of the kinds of cheap tricks the scamsters get up to. Many of the most common ones are exposed and explained on helpful pages such as the Rogues Gallery and the Anti-Virus Measures pages and others linked from them.

4. Next time you buy a computer, make sure it's upgradeable to Linux (an operating system less sievelike than Microsoft). If you were buying a house, you'd make sure the front door fitted well enough that it didn't have a gap underneath so big that a rat could get in, so, the same logic applies to computers.