Topic: Economic Crisis: A Phishing and Malcode Opportunity

[Samker]

In the past few weeks as a flurry of global financial institutions have suffered, a lot of names have been bandied about. Some banks have merged, some banks have faltered, and some government programs have been highlighted. It turns out that this is giving some enterprising phishers and malcode authors an opportunity. They’re preying on fears and name recognition.

The latest scam I just got was a Goldun spyware delivery scheme claiming to be a statement for your account. The emails look like this:

From: Federal Deposit Insurance Corporation
 To: @arbor.net
 Subject: funds wired into your account are stolen                                                       

 Dear bank account owner,                                                     

 Funds wired into your account are stolen from innocent account holders
 through Identity Theft. Please check your account statement (the statement
 is attached to this letter) and contact your bank account manager.           

 Federal Deposit Insurance Corporation

The attachment has the name “statement.exe” and is a UPX packed executable with the MD5 b6883affd9296b11145f6a0dce7056c3. It drops three files:
C:\DOCUME~1\User\LOCALS~1\Temp\f5d7_appcompat.txt
C:\DOCUME~1\User\LOCALS~1\Temp\f5d7_appcompat.txt
C:\DOCUME~1\User\LOCALS~1\Temp\f5d7_appcompat.txt

Goldun’s then try to download other malcode. This malcode has been around for a while, this is just the latest scheme to entice you to run the file.

In the past few days we’ve also seen combined phishing and malcode attacks against Wachovia, Merril Lynch, and other financial institutions. They usually use fast flux domains to host the attack. Some of the enticements are around banking changes, and these institutions have recently merged with other firms, so users may fall for the “we are upgrading our systems, please install this new SSL certificate” scheme. When you visit the site you get a phishing page and malcode dropped onto you box.

One of the Wachovia emails making the rounds right now looks like this:

WACHOVIA CORPORATION NOTICE.                                                                                                                                   

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent
failure of Wachovia. The Citigroup/Wachovia would focus on upgrading
banks' security certificates. All Wachovia customers must fill the forms
and complete installation of new Citigroup Standard digital signatures
during 48 hours. Please follow the installation steps below:                                                                                                   

Read more here>>                                                                                                                                               

Sincerely, Rodrick Baird.
 2008 Wachovia Corporation.
All rights reserved.

Here’s what this campaign’s website looks like:



We’ve been tracking these fast flux domains and will continue to do so, and we will continue to work with the anti-phishing community to identify and shut down such phishing attacks.

(Arbor Networks)