Security researchers from Sophos warn of an unusual phishing attack targeting Commonwealth Bank customers, which makes use of a DNS hijacking trojan to steal login details.
The attack starts with spam emails abusing a real Commonwealth Bank email template, which includes the organization's logo, copyright notice and other identification elements.
The rogue messages come with a subject of “Update your Commonwealth Bank” and read: "
This e-mail is to inform you that your account will be suspended within 48 hours due to your Account Inactivity."
The recipients are told that they need to confirm certain information associated with their account in order to continue using it.
A "Verify My Account Information" link is included in the email, but surprisingly, it doesn't lead to a phishing website.
Instead, it points to a file called CommBank.scr hosted on an external .cx (Christmas Islands) domain, which if ran, installs a computer trojan.
This malware's primary purpose is to phish credentials from users and it achieves this through two files dropped in the <System>\drives\etc folder.
One is called pic.url and leads to a Commonwealth Bank phishing page. The other is a HOSTS file, which contains rogue DNS entries for the bank's domains.
This will cause all requests for commbank.com or commbank.com.au made from an infected computer to be redirected to a phishing website, which mimics the bank's login system.
Ironically, the trojan installer is also infected with a virus called Sality, suggesting that the computer of whoever is behind the phishing attack is affected by this threat.
"
[…] It’s unlikely this is a deliberate measure, as we’ve seen uninfected variants of this phishing Trojan in the past (which we detect as Mal/RarHosts-A), and anyway the Sality doesn’t so much hide the Trojan as paint it in bright colours, making it even easier to spot and to block,"
explained Richard Cohen, a malware researcher at Sophos.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
