Accueil > Le blog du libre > Attaque en cours

Attaque en cours

Publié le 11 décembre 2005 par mverdier
dans

Linux est assez résistant, mais l'utilisateur est toujours aussi exposé aux attaques sociales. Et en voici un exemple vécu personnellement très récemment : j'ai reçu un mail soi-disant de la Barclays. Ils m'informent que des mails suspects circulent. Et que justement ils ont amélioré leurs serveurs SSL pour une meilleure sécurité. Ils mettent donc un lien vers la Barclays. Or ce lien fait arriver en réalité sur un autre site.

Le site d'arrivée est mrplumbing.us. Il redirige sur spider.nghsecure.com qui affiche "This Account Has Been Suspended. Please contact the billing/support department as soon as possible".

Utilisant un navigateur spécial et regardant le contenu des paquets TCP/IP échangés, je ne risquais pas grand chose. Mais que vous serait-il arrivé si vous aviez été membre de la Barclays ? Et n'oubliez pas que d'autres banques bien françaises ont été la cible de ce genre d'attaque.

Donc une règle simple : ne cliquez pas sur les liens proposés. Et réglez votre client de messagerie pour ne pas exécuter de code de façon automatique. Si vous ne savez pas le faire, vous pouvez toujours installer Mozilla Thunderbird [1] qui offre une sécurité par défaut meilleure que Outlook Express. Mais la meilleure sécurité, c'est vous !

[1] http://www.mozilla-europe.org/fr/products/thunderbird/

Voici la copie du mail reçu :

Delivery-date: Wed, 07 Dec 2005 10:03:17 +0100
Received: from spider.nghsecure.com (spider.nghsecure.com [209.197.240.252])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by ...
Received: from [62.135.119.130] (port=46511 helo=User)
by spider.nghsecure.com with esmtpa (Exim 4.52)
id 1Ejnnw-00032S-M1; Tue, 06 Dec 2005 20:09:09 -0500
Reply-To:
From: "Barclays Bank PLC"
Subject: Barclays Fraud Verifications
Date: Tue, 6 Dec 2005 03:08:51 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - spider.nghsecure.com
X-AntiAbuse: Original Domain - thalix.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - barclays.com
X-Source:
X-Source-Args:
X-Source-Dir:
To: undisclosed-recipients: ;

[1. text/html]...

<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 11">
<meta name=Originator content="Microsoft Word 11">
<link rel=File-List href="barmail_files/filelist.xml">
<link rel=Edit-Time-Data href="barmail_files/editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>New Page 1</title>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>suky</o:Author>
<o:LastAuthor>suky</o:LastAuthor>
<o:Revision>3</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Created>2004-01-01T20:57:00Z</o:Created>
<o:LastSaved>2004-01-01T20:57:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>187</o:Words>
<o:Characters>1072</o:Characters>
<o:Lines>8</o:Lines>
<o:Paragraphs>2</o:Paragraphs>
<o:CharactersWithSpaces>1257</o:CharactersWithSpaces>
<o:Version>11.5606</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:GrammarState>Clean</w:GrammarState>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p
{font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->
<meta http-equiv=Content-Language content=en-us>
</head>

<body lang=EN-US link=blue vlink=blue style='tab-interval:36.0pt'>

<div class=Section1>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width="100%"
style='width:100.0%;border-collapse:collapse'>
<tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;height:56.25pt'>
<td style='background:#003366;padding:.75pt .75pt .75pt .75pt;height:56.25pt'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width="100%"
style='width:100.0%;border-collapse:collapse'>
<tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
<td width=222 style='width:166.5pt;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal align=right style='text-align:right'><img width=164
height=28 id="_x0000_i1025"
src="http://www.barclays.co.uk/images_new/home/barclays_logo.gif"></p>
</td>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p align=right style='text-align:right'><b><span style='font-size:10.0pt;
font-family:Arial;color:#00A8DC'>Important Notice: </span></b><b><span
style='font-size:10.0pt;font-family:Arial;color:white'>December. 05, 2005</span></b><b><span
style='font-size:10.0pt;font-family:Arial;color:#00A8DC'>    
</span></b></p>
</td>
</tr>
</table>
<p class=MsoNormal> </p>
</td>
</tr>
<tr style='mso-yfti-irow:1;height:15.75pt'>
<td style='padding:.75pt .75pt .75pt .75pt;height:15.75pt'>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width="62%"
style='width:62.0%;border-collapse:collapse' id=table3>
<tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal> </p>
</td>
<td width=563 style='width:422.25pt;padding:.75pt .75pt .75pt .75pt'>
<p><span style='font-size:10.0pt;font-family:Arial;color:#003366'><br>
Dear Sir/Madam<span class=GramE>,</span><br>
<br>
Barclays Bank PLC. <span class=GramE>always</span> looks forward for the
high security of our clients. Some customers have been receiving an email
claiming to be from Barclays advising them to follow a link to what appear
to be a <span class=GramE>Barclays</span> web site, where they are prompted
to enter their personal Online Banking details. Barclays is in no way
involved with this email and the web site does not belong to us.</span></p>
<p><span style='font-size:10.0pt;font-family:Arial;color:#003366'>Barclays
is proud to announce about their new updated secure system. We updated our
new SSL servers to give our customers a better, fast and secure online
banking service.<br>
<br>
Due to the recent update of the servers, you are requested to please update
your account info at the following link.</span></p>
<p><b><span style='font-size:10.0pt;font-family:Arial'><a
href="http://mrplumbing.us/WEB-INF/lib/barclays/LoginMember.html"><span
style='color:#00A8DC'>http://www.barclays.co.uk/cgi-bin/accountupdate/1,00,102.html
</span></a></span></b></p>
<p><span style='font-size:10.0pt;font-family:Arial;color:#003366'><br>
 </span></p>
<p><b><span style='font-size:10.0pt;font-family:Arial;color:#003366'>J. S.
Smith</span></b><span style='font-size:10.0pt;font-family:Arial;color:#003366'><br>
<i>Security Advisor<br>
Barclays Bank PLC.</i></span><span style='font-size:10.0pt;font-family:
Arial'><br>
 </span></p>
</td>
</tr>
</table>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=1 width="100%" align=center>
</div>
<p><span style='font-size:7.5pt;font-family:Arial;color:gray'>Please do not
reply to this e-mail. Mail sent to this address cannot be answered.<br>
For assistance, log in to your Barclays Online Bank account and choose the
"Help" link on any page.<br>
<br>
Barclays Email ID # 1009</span></p>
</td>
</tr>
<tr style='mso-yfti-irow:2;mso-yfti-lastrow:yes'>
<td style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal> </p>
</td>
</tr>
</table>

<p class=MsoNormal><o:p> </o:p></p>

</div>

</body>

</html>