New attack that targets AOL customers

A new attack that targets AOL customers. Users receive a spoofed email from the security department at AOL. The email claims that AOL had a security breach over the weekend and that confidential information may have been compromised. The email also requests that users connect to a website to download and install a new security patch, which will protect their information.

When users click on the link, they are redirected to a fraudulent website which is hosted in Scotland. This site hosts a piece of malicious code, named patch.scr, which is written in Visual Basic and uses Yoda Crypt. When the file is run, a wizard opens to guide users through the disclosure of their confidential account and billing information, including their account limit.

Once this information is obtained, it is sent in a text file via FTP to an account at a hosting facility.


Email Body:

from: mandatoryupdate@aol. com

Valued AOL Member:

Over this past weekend America Online fell victim to attacks from hackers. Thousands
of people were affected as personal and private information was illegally stolen
from them off of our servers. We are still unable to identify everyone who was
affected by these attacks.

To prevent this from happening to you or to correct the problem if you have fallen victim to such an attack, we have created a new Security Patch a new, required update for members of all versions of America Online Software.

Failure to download this Security Patch with in the next 48 hours will result in the temporary suspension of your America Online account. At this point we will send you a Security Patch CD in the mail. Upon installing it, your account will be reactivated. Instead of that, you can download our Security Patch right here, or by visiting the following URL: (URL removed)
After logging in you will be prompted to Run the above Security Patch.

We thank you for your cooperation and look forward to continue to serve you.