14 DAY TRIAL // Security researchers from Trend Micro warn of a new email attack distributing a banking trojan that targets the customers of Spanish financial institutions.
The emails purport to come from the National Police of Spain and contain a link to a trojan downloader which when run installs the banking malware detected by Trend Micro as TSPY_BANCOS.QSPN.
One interesting aspect about this attack is the fact that the command and control servers are hosted on legitimate websites that have been compromised.
The cyber criminals behind this campaign create special directories on the compromised sites where they place their malicious scripts. A list of these URLs is downloaded from a particular domain.
The scripts hosted on these C&C domains forward the reports sent by the malware to a central server controlled by the attackers. This gives the attack much more flexibility.
If the main C&C goes down, the attackers can simply modify their scripts to send data somewhere else, and since it's a known fact that webmasters hardly respond to abuse reports, there will always be at least one compromised website up and receiving data.
The malware monitors browser requests for the websites of several financial firms, including Banco Popular, Bankinter, Cajasol, Caixa, and Western Union. If a request is intercepted, the malware displays a phishing page spoofing the bank's site which attempts to obtain the victim's financial information.
"While this attack may appear to be concentrated in Spain, users should be equally vigilant and familiar with such frauds. Similar attacks and other threats may already be on their way: mailbox, web searches, or to popular social networking sites," the Trend Micro researchers warn.
The Spanish National Police (la Guardia Civil) are aware of the attack and have already issued an alert on their website. The fake emails mention a non-existent police investigatory procedure.