The Trend Micro Content Security Team has encountered a phishing attack similar to what affected the Bank of America and Comerica recently. The scheme, which involves a malicious digital certificate supposedly downloaded from a link found in the spammed email, is now used to fool Merill Lynch Business Centre customers.

Below is a screenshot of the spammed email message:

The visible link in the said email is a hypertext string that leads to the phishing URL
hxxp://wcma.businesscenter.mlbank.bcprivate9054.wcmaloginea.aspxsystem.meetingid.12469.
programs.dvppserv.1291logon.info/WCMALoginEA.htm. The said URL poses as the Business Centre’s home page.

Clicking on the said link connects users to a URL where they are prompted to download a required “digital certificate.” However, the phishing site is already inaccessible as of this writing.

Sunbelt also warns users in their blog that this scheme is highly likely being used for other schemes as well.

Unsuspecting users who may wish to buy (or simply admire) the new Honda Accord are warned that may fall victim to a drive-by download, leading to the installation of an info-stealing malware. TrendLabs discovered today an attack on the official web site of Honda Cars in Thailand.

According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://www.honda.co.th:80/accord, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named getanewmazda.info domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:\winQZfio771.exe) is detected as TSPY_ZBOT.LA.

This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.

Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:

The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.

This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.

Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.

Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs