Canada Flag Public Safety Canada | Sécurité publique Canada
Symbol of the Government of Canada
Sauter les menus principaux  
Skip all menus (access key: 2) Skip first menu (access key: 1)
Français Contact Us Help Search Canada Site
About Us Policy Research Programs Newsroom
Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada
 
You have accessed an archived page on the Public Safety Canada website. This material may be outdated. Please consult our new site for up-to-date information.

Title graphic: Operations Products

Advisory Number: AV04-028
Hackers grab bank details with fake ad
6 July 2004

Purpose
The purpose of this advisory is to bring attention to Hackers who have found a new method of stealing bank details from home computers.

Assessment
Img1big.gif is a file containing a Trojan named pwsteal.refest. It attempts to secretly install itself on the computer and steal confidential information.

A virus uncovered last week was hidden inside so-called "pop-up" advertisements that appeared on screen without warning, experts have warned. Clicking on the "close" button to get rid of the advert triggered the virus to attempt to secretly install itself on the computer. The bug was programmed to wait until the user began logging on to their internet bank account where it tried to steal personal details, such as passwords, before the information reached the bank. When Internet Explorer makes an HTTP POST request to one of these domains (for example, when the user submits a web form at a bank site), the Trojan also sends the information to a cgi script at www.refestltd.com.

The new Trojan was aimed at customers of nearly 50 banks around the world including:

  • .anz.com
  • .bendigobank.com.au
  • .citibank.com
  • .citibank.de
  • .commbank.com.au
  • .dab-bank.com
  • .deutsche-bank.de
  • .e-gold.com
  • .hsbc.com.au
  • .hsbc.com.hk
  • .online-banking.standardchartered.com.hk
  • .sparkasse-banking.de
  • .stgeorge.com.au
  • banking.lbbw.de
  • banking.mashreqbank.com
  • banknetpower.net
  • barclays.co.uk
  • cd.citibank.co.ae
  • cibconline.cibc.com
  • citibank.com.au
  • dit-online.de
  • easyweb.tdcanadatrust.com
  • ebank.uae.hsbc.com
  • ekocbank.kocbank.com.tr
  • hercules.pamukbank.com.tr
  • internetsube.akbank.com.tr
  • lloydstsb.co.uk
  • national.com.au
  • nbd.ae
  • online-banking.standardchartered.ae
  • online.nbad.com
  • pbg1.edc.citiaccess.com
  • standardchartered.com
  • suncorpmetway.com.au
  • westpac.com.au
  • www.alahlionline.com
  • www.almubasher.com.sa
  • www.arabi-online.com
  • www.cbdonline.ae
  • www.citibank.com.hk
  • www.dahsing.com
  • www.ebank.iba.com.hk
  • www.privatebank.citibank.com.sg
  • www.sabbnet.com
  • www.samba.com
  • www.scotiaonline.scotiabank.com
  • www.unb.com
  • www1.bmo.com
  • www1.royalbank.com
Suggested Action
PSEPC recommends that you ensure your anti-virus detection software definitions are current. Additional information about this worm is available at the following links:
http://www.smh.com.au/articles/2004/07/05/1088879407085.html This link will open in a new window.
http://securityresponse.symantec.com/avcenter/venc/data/
pwsteal.refest.html This link will open in a new window.

---

Note to Readers

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. To report threats or incidents, please contact the PSEPC operations coordination centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

Links to sites not under the control of the Government of Canada (GoC) are provided solely for the convenience of users. The GoC is not responsible for the accuracy, currency or the reliability of the content. The GoC does not offer any guarantee in that regard and is not responsible for the information found through these links, nor does it endorse the sites and their content.
Last Updated: 12/14/2006
Top of page
 Important Notices