« More on Phishers With Trojans | Main | Adventures in Paranoia »

November 08, 2005

As a followup to a previous post, the folks at Web Sense Security Labs pursued the stuff that the Trojan Dropper drops. One of the things they found was a program that modifies a Windows Registry entry to redirect browser access intended for PayPal to a completely bogus site. Check out the screenshots. While the phishing message described there and in my post are cosmetically identical, the executable file names in the links differ. Perhaps the crook changed the file name after the Web Sense notice.

An alert user (but not alert enough to avoid clicking on the installer link in the first place) would hopefully notice that the bogus pages aren't being served up through a secure (https://) connection. Then again, such a user might be so focused on the possibility of losing his or her PayPal account (and any funds that might be in it), that they look only at the form fields, and not the Web page. Of course, even if the machine is infected with this nasty business, trying to trace the problem without antiviral software or firm knowledge of how the Windows Registry works would be next to impossible.

At least the site that hosted the original Trojan and bogus pages are now no longer active. Until they show up someplace else.