Thursday, February 26, 2009

Another Password Stealer hides as Bank of America video malware

One of our top spam campaigns today at the UAB Spam Data Mine is the newest Snifula/Gozi password stealing trojan, this time disguised as a Bank of America malware.



I'll go ahead and give you the text of their warning, because this is just hilarious on a website THAT INTENDS TO PLANT A KEYLOGGER ON YOUR COMPUTER!


Changes to the Online Security Policy !

Bank of America would like to make you, a valued customer of Bank of America, aware of a form of online fraud - keylogging - that could adversely affect your business and your employees. Keylogging, a process used to steal confidential information such as names, account numbers, and other personal information, is fast becoming one of the most prevalent online threats used by data thieves and fraudsters.

What you can do
We strongly encourage you to take steps today to lower the chance of a keylogger or any other form of malware being installed on your personal computer or your business machines. Here are guidelines to assist you.

1. Install 128-bit logging protection software on all computers: Download now
Installation is quick and simple - download BofAsetup.exe - double click downloaded file - finish installation.

This will reduce the risk of internal fraud, while at the same time making it more difficult for outside programs to find both of your company's user names and passwords...


The email, which we've seen several hundred times so far, will contain a link to one of the following websites:

videopatchdownload.com
viewvideopatch.com
screensecuritypatch.com
serverupdtatevideo.com
patchdownloader.com

Faithful readers will already know that these will have all been created today, using the Chinese registrar BizCN.com. Its almost not worth looking up, the pattern is so predictable. But, lest we be accused of not being thorough, we did. Yeah, its BizCN.com. There are always five domains, all sharing the same nameserver, in this case, ns1.localterms.com.

The spam message itself has used FIFTY different subject lines:

Adopt Best Practices Online - Bank of America
Always "Log-off" Internet Banking first then close your browser - Bank of America
Always remember to Log-Off Internet Banking - Bank of America
Avoid accessing your online banking information at Internet or Cyber cafes - Bank of America
Bank of America, and/or Banc of America security # apply updates
Bank of America, and/or Banc of America security # Ensure that your operating system has all latest patches and updates installed.
Bank of America, and/or Banc of America security # Ensure that your operating system updated.
Bank of America, and/or Banc of America security # latest patches and updates installation.
Bank of America, and/or Banc of America Security alert
Bank of America, and/or Banc of America security measures
Bank of America, and/or Banc of America security measures 2008
Bank of America, and/or Banc of America security measures 2008 you can take to protect your company
Bank of America, and/or Banc of America security measures you can take to protect your company
Bank of America, N.A. (BANA) and/or Banc of America also provides extensive information regarding identity theft prevention
Bank of America, N.A. (BANA) and/or Banc of America has developed a Fraud Prevention Checklist
Bank of America, N.A. (BANA) and/or Banc of America has developed a new 128 bit sofware
Bank of America, N.A. (BANA) and/or Banc of America has developed an update for log in page
Bank of America, N.A. (BANA) and/or Banc of America has developed new anti-Fraud feature
Bank of America, N.A. (BANA) and/or Banc of America has developed new free protection tool
Bank of America, N.A. (BANA) and/or Banc of America has developed serious protection
Bank of America, N.A. (BANA) and/or Banc of America has developed special file protection
Bank of America, N.A. (BANA) and/or Banc of America is committed to providing you with a convenient, safe and secure online banking
Bank of America, N.A. (BANA) and/or Banc of America News - security development
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use 128 bit file
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use fraud prevention procedures
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use security update
Bank of America, N.A. (BANA) and/or Banc of America recommend that you use updated browser
Bank of America, N.A. (BANA) and/or Banc of America recommend to review your account security
Bank of America, N.A. (BANA) and/or Banc of America would like to announce latest update
Bank of America, N.A. (BANA) and/or Banc of America would like to inform you lates development
Bank of America, N.A. (BANA) and/or Banc of America would like to inform you news
Bank of America, N.A. (BANA) and/or Banc of America would like to inform you security updates
Bank of America, N.A. (BANA) and/or Banc of America would like to open new security features
Bank of America, N.A. (BANA) and/or Banc of America would like to stop fraud practice
Check your computer manufacturer's (hardware/operating system) Web site for "patches"
Do not share your Internet Banking User name and Password with anyone - Bank of America
Don't share access to your computer with strangers - Bank of America
Financial data confidential at all times - Bank of America
Install Firewall software on your home and networked computers - Bank of America
Learn about computer infections and be aware of the latest computer viruses - Bank of America
Memorize your Password and Bill Pay Security Key and never write it down or reveal it to anyone - Bank of America
Only provide information that you initiate through an application - Bank of America
Our systems and security procedures- Bank of America
Protect them and change your Passwords on a regular basis - every 60 days - Bank of America
Protect Your Computer - Bank of America
Protected from unauthorized use - Bank of America
The security of your information is paramount- Bank of America
This will help prevent others from being able to view your online banking information - Bank of America
Use a combination of both letters and numbers - Bank of America.
Your Log-In Information - Bank of America
Your Password to your online account information - Bank of America

The faithful readers will also already know that these websites are all "Fast Flux hosted", and that they use the same Fast Flux network as the ASProx phishing spam.

So, for example, the IP address 24.87.189.139, Shaw Communications in Calgary, is hosting our current video malware, but has also been seen hosting Classmates.com malware (which is Snifula/Gozi), such as domains such as customeridclass.com, , as well as the current "Net Teller" phishing campaign on domains like ijili.be, proftd.name, id-refts.mobi, proftd.eu, uttjii.eu, and utltii.eu -- the "Comerica" phishing on domains such as r003.eu, idir04.eu, dll-5.eu, v005.eu, dll-8.eu, dirv-8.eu.

Of course there are hundreds of other hacked home computers which are also hosting these domains. The five that currently come back when I make a query are:

76.122.72.90
76.213.152.58
24.87.189.139
75.118.162.91
76.98.48.103

And, lest I miss the chance to remind you, YOUR ANTI-VIRUS SOFTWARE WILL NOT PROTECT YOU. The current detection of this malware is THREE of 39 products can identify this virus:



Don't rely on your Anti-Virus software, rely on being a smart Internet user.

Good luck!

No comments:

Post a Comment