14 DAY TRIAL // BancorpSouth customers are advised to be on the lookout for suspicious emails that purport to originate from the financial institution.
AppRiver provides an example of such an email:
Dear Account Holder,
This message is mailed to you regarding your online baking user passwords has been expired.
Set up a new user password by following these step:
1. Log into your online banking by our secure link for Expired Passwords and entering the temporary password below. Your temporary password is: nb42xStg765bnk
2. You will then be prompted to change your password. The temporary password will expire in 24 hours.
So, let’s analyze the email for a second. It’s poorly worded, it addresses the recipient with “Dear account holder,” and it leverages the classic “your password has expired” topic to attract the user’s attention.
As expected, the link doesn’t actually point to the bank’s “secure link for expired passwords,” but to a malicious domain that hosts the infamous Blackhole exploit kit that attempts to push a piece of malware via the vulnerabilities it finds on the targeted computer.
The Trojan involved in this campaign is not out of the ordinary. It can read cookies, modify browser proxy settings, change the browser’s network configuration, and perform other tasks.
An interesting thing about it is that it self-destructs if it detects the presence of a debugger. This way, the developers can ensure that security researchers will have a hard time studying their creation.
The spammers that run this particular campaign have been highly active in the past weeks. Malicious Links are hosted on 100 different domains and over 1 million emails have already been quarantined.
While an organization such as BancorpSouth might seem somewhat of an odd target, mainly because the number of potential victims is fairly low, experts argue that the cybercriminals want to keep their social engineering tactics “fresh.”
The financial institution is aware of these fake emails, an awareness-raising campaign being ongoing.