TrjBankerLKC_1

new pharming attack using the Banker.LKC Trojan. Victims of this attack could find that their bank details end up in the hands of cyber-crooks.

Pharming is a sophisticated version of phishing. It involves manipulating the DNS (Domain Name Server) through the configuration of the TCP/IP protocol or the host file. The DNS servers store the numeric address or IP address (e.g. 62.14.63.187.) associated to each domain name or URL (e.g. www. mibanco.com). The result of the cyber-criminals’ interference is that when a user enters the name of a Web page, the server redirects him to another number, i.e. another IP address hosting a fraudulent Web page, designed to have the appearance of the original page.

In this case, the Banker.LKCTrojan is responsible for the manipulation of the DNS. This malicious code reaches systems under the name “VideoPhone[1]_exe”. Once it is run, and in order to trick users, it opens a browser window displaying a website selling the iPhone (see image).

While users are viewing this page, the Trojan modifies the hosts file redirecting URLs of banks and other companies to a false web page. This way, users trying to access these banks by typing in the address or accessing them from an Internet search will be redirected to the spoof page. Here they will be asked for confidential details (account number, transaction password, etc.) which will be falling straight into the hands of cyber-crooks.