e-gold, E-Bullion, Pecunix, and Liberty Reserve systems appear to be targets of virus writers intent on obtaining login credentials for those users. The compromise method appears to involve a combination of:
- False IP address entry in hosts file, used to send user to fake site
- Fake self-generated SSL certificate, used to establish https connections
- Compromised user machines to pull live page content from real sites for display at fake sites
The following IP addresses appear to host the given sites:
- https://216.255.185.26/ fake www.e-gold.com
- https://216.255.185.27/ fake libertyreserve.com
- https://216.255.185.28/ fake secure.e-bullion.com
- https://216.255.185.29/ fake secure.pecunix.com
Infected computers may not even warn about fake SSL certificates if appropriate malicious CA certificates have been installed by the given virus. The fake SSL certificates contain somewhat realistic looking information, such as issuance from "Thawt Consulting cc", approximating the legitimate certificate business Thawte. The thumbprint/fingerprint of the fake e-gold certificate does not match the correct value.
These sites appear to be the work of spammers known as the Russian Business Network (RBN).
The Security Recommendations at the e-gold site provide information about helping to protect yourself from unsafe surfing. These include the details for the legitimate e-gold SSL certificate issued via VeriSign.
Comments