Phishing in the Guise of Enhancing Security
- Wednesday, January 20, 2010, 23:25
- Threat Research
Trend Micro fraud analysts recently came across spammed messages targeting customers of the Fifth Third Bank. The messages urged recipients to log in to a temporary link, http://www.53.com.{BLOCKED}.com.pl/wpserver/cmportal/cblogin.php?session=667882698791972326077742654898739&email=p2t2all@tacobell.com, in order to download and install a digital certificate that would supposedly reinforce the bank’s security. Clicking the link, however, led users to a phishing page that prompts them to key in their user names and passwords. This, as you all probably know by now, is a typical tactic to trick users into giving out their personal credentials, which can then be used for further malicious activities or sold in underground forums.
 |
 |
After signing in, users will see a prompt to download the said digital certificate, certificate.exe, which is actually a malicious file Trend Micro has detected as TSPY_ZBOT.SMAP, which is capable of stealing personal credentials via key logging. The stolen data, mostly banking-related information, are then sent to a couple of URLs via HTTP POST. It also has the capability to stop firewall-related processes to mask its malicious activities.
 |
 |
Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, user access to the malicious sites, and the download of the malicious file.
As additional precaution, however, users are advised to be wary of clicking links in suspicious-looking messages, particularly those that come from unknown senders.
Post from: TrendLabs | Malware Blog – by Trend Micro
Phishing in the Guise of Enhancing Security
About the Author: