Phishing and Keylogging – The Missing Link?

Here’s evidence that ‘phishing’ – the art of conning users into handing over banking and other passwords by fake, but convincing-looking emails and website — may have branched out into viruses and worms.

Symantec, McAfee and Sophos have published details of a new virus/trojan called Stawin (also known, because the anti virus people don’t seem to be able to standardise these things, as Keylog-Stawin, Troj/Stawin-or Keylogger.Stawin) which appears to have originated in Russia, and which, once installed, will sniff for any banking transactions from about 30 banks or online payment systems in the U.S., Australia and Canada, and will capture passwords and whatnot which it will then email, from time to time, to the hacker.

It does this via an email attachment with, usually, the title ‘I still love you’ — something that’s always nice to hear. If the email attachment — — is opened a small piece of software called a keylogger will install itself and look for the user opening a window with text in its title that matches any of about 60 different words, ranging from Westpac to Hyperwallet. The keylogger will record anything the user types into that window, store it, and occasionally email it to someone — apparently in Russia, since the email address is (You won’t see this happening because the email is not sent via an email program but an inbuilt SMTP engine.)

The bad news: You don’t actually need to get the email version of this to be infected. Variants of the trojan could be received just be viewing a certain webpage, on an instant messaging chat network, or on a file sharing network.

Now we already knew, thanks to the work of folk like Daniel McNamara of Code Fish, that some phishing scam emails appeared to be trying to load keylogger trojans. But this seems to be the first industrial-strength one that targets a wide range of banks and online institutions. Says Daniel, who pointed it out to me: “This is certainly the first key logger one I’ve seen go to such lengths, particulary since it targets a wide range of English-speaking banks/financial institutions.” Most previous keyloggers, he says, tend to focus on one or two banks, usually from Asia or South America.

So is this proof that Russians are behind the bigger phishing scams? Or is this all just a ruse? That email address appears to be Russian, and not just because of the server.  Nick FitzGerald of Computer Virus Consulting says in a posting at SecurityFocus that he is informed by a Russian colleague that the email address is “rather crude if transliterated back into Cyrillic”.


All opinions are my own, and not necessarily those of Thomson Reuters.



RSS loose wire blog