14 DAY TRIAL // A new phishing scheme is actively targeting customers of the Bank of America Direct Digital Certificate program. Spam e-mails try to trick users into providing their login credentials to a fake page, which also attempts to infect them with malware.
Bank of America Direct is a full-service Internet-based system, generally used by companies to manage their trade activity. In order to log into this system, users require a digital certificate issued by the bank to be installed into their browser.
Phishers interested in stealing such accounts would also require the accompanying digital certificates in order to be able to access them. Unfortunately, the bank makes it easy for them to get both the credentials and the certificates by instrumenting an attack based on the Bank of America Direct Digital Certificate Pick-up site.
This website allows a certificate owner to download it again if they can provide their company ID, user ID and user password. Therefore, attackers have started sending out phishing e-mails impersonating Bank of America with messages that read: "The Digital Certificate for your Bank of America Direct online account has expired" or "We would like to inform you that we have released a new version of Bank of America Customer Form."
The URL included in the e-mails actually points to a fake copy of the original digital certificate pick-up page, hosted on various domains registered using false information. "All of the links on the [fake] website [...] point to the real Bank of America Direct Digital Certificate program, except the 'CONTINUE' button," notes Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham (UAB).
Pressing the CONTINUE button, opens a clone of the form for obtaining a certificate. Filling in the form correctly will have two consequences. First of all, the account will be compromised, because the phishers will now have all the information required to request a valid certificate themselves and login into the system.
Secondly, instead of getting prompted with the download of the re-issued certificate, as it would normally be the case, the victims will receive a file called 9129837.exe, which is an information stealing computer Trojan.
According to Mr. Warner, one interesting aspect that differentiates this attack from previous ones targeting digital certificates is that the submitted credentials are actually validated in real time. "The form is submitted using 'x-www-form-encoded' as its methodology, and contacting Verisign via 'pilotonsite.verisign.com/cgi-bin/crs.exe' as part of its authorization process," the researcher explains.
Bank of America Direct users are advised to exercise extra caution and also confirm any requests made by the bank via e-mail by using the phone. "We actually received more than fifty copies of this new scam, with the earliest arriving May 29th at 9:30 AM," warns Mr. Warner.