According to Henry Gonzalez, senior security researcher for Websense, an attack that targeted online customers of at least 50 financial institutions in the U.S., Europe and Asia-Pacific was shut down this week. The pharming attack could only be successful if a user was lured to a Web site that hosted malicious code exploiting a critical vulnerability revealed last year in Microsoft"s software, which has since been patched. Once lured to the Web site, an unpatched computer would download a Trojan horse in a file called "iexplorer.exe," which then downloads five additional files from a server in Russia. The Web sites displayed only an error message and recommended that the user shut off their firewall and antivirus software.
Once infected, a user could become victim to financial fraud if they visited any of the targeted banking sites. The user would be redirected to a mock-up of the bank"s Web site which collected their login credentials and transferred them to the Russian server. The user was then passed back to the legitimate site where they were already logged in, making the attack even harder to recognize. The Web sites hosting the malicious code, which were located in Germany, Estonia and the U.K., had been shut down by ISPs as of Thursday morning, along with the look-alike Web sites, Gonzalez said. Websense said at least 1,000 machines were being infected per day, although it was unclear how many people lost money from accounts.