Here is a new style from NUWAR, a.k.a. Storm. NUWAR is sending spam as usual but this time with slightly different content. As can be seen here, it is claiming to link to a free video starring Liv Tyler (see highlighted text).

Figure 1. Spam mail enticing users to click on the link to watch a video.
Once a user clicks the link on the message, the user will end up here:

Figure 2. Instead of Liv Tyler, the user gets a blue Web page and a certain “security error.”

The said “security errors” suggest that the PC has been infected by spyware. If the user succumbs to the ploy and clicks on OK, he/she is prompted to download INSTALL_EN.EXE, which is detected by Trend Micro as WORM_NUWAR.AL.

WORM_NUWAR.AL then drops other malicious files that Trend Micro detects as WORM_NUWAR.AE and WORM_NUWAR.AN. Unlike the modus operandi of cyber criminals using typical rogue anti-spyware, this attack takes a somewhat different route: the downloaded file is not a fake anti-spyware program, instead it is a malware itself.

Our honeypots have caught similar NUWAR spam that contain different subject headings or content, one of which is found below:

Figure 3.Spam found to exhibit the same attack algorithm.

Interestingly, a Google search for “Best AntiSpyware Solution” reveals several sites that appear to have been compromised to host files that show the same fake errors. These pages also lead users to the download of malicious files. Users should update their anti-spam and anti-malware programs to filter out spam and detect the NUWAR variants. Trend Micro Smart Protection Network is able to block this attack at various points of the infection chain.

Trend Micro Content Security discovered a phishing URL that, when loaded, displays a Web page strikingly similar to the Irish bank Permanent TSB (formerly known as the Irish Permanent Building Society).

Online banking facilities usually ensure the security of transactions processed within their domains by using a secure protocol. This has become a standard for online banks. Tech-savvy users who encounter this URL via email can thus tell that this site is suspicious because unlike the Web sites of other online banks, this site manifests lack of security on two counts:

1. The lock icon in the status bar is missing (browsers display the lock icon on the status bar to show that the site is secure)
2. The protocol used by the Web site is http, not https

The phishing Web site asks the user for his/her Open24 Number and Internet Password. Open24 is the online banking service established by the said bank to allow clients to access his/her records and transact via the Internet. It is usually printed on account-holders’ ATM or LASER cards, along with the Internet Password.

Figure 1. The fake Permanent TSB Web site mimics even the legitimate site’s security advisory at the bottom portion: “Permanent TSB will NEVER ask you to confirm your secure login details by e-mail,” it says.

After keying in his/her credentials and clicking the CONTINUE button, the user is redirected to another phishing Web page that asks for the user’s 6-digit access number. The 6-digit Personal Access Number is a password previously created by the user. This password is a second layer of authentication that banks use to test whether the user is really who he/she claims to be.

Figure 2. The fake Permanent TSB Web site manages to copy even the second layer of verification of the legitimate site by asking for the user’s Personal Access Number.

After typing in the PAN number and pressing the CONTINUE button, the user is directed to the legitimate Web page of the Permanent TSB (where he/she will have to go through the login procedure again—an ex post facto clue that the user’s information has been stolen and that the prior transaction was not legitimate). At this point the phishers already have their hands on the user’s sensitive account information. Phishers may then sell these information to other cyber criminals, or use the information to siphon money from the victim’s accounts.

Banks enforce two-factor authentication in order to verify a person’s real identity. Permanent TSB establishes this measure by requiring the user to enter the details of something that the user physically owns (like the Open24 number), along with something that the user knows exclusively (like his 6-digit Personal Access Number). This practice makes it much more difficult for people who have managed to steal an account-holder’s ATM card to pretend to be the owner of the account.

However, this phishing attack renders the two-factor authentication measure useless because all the necessary information to log onto the site is captured. Banks like Permanent TSB can only go so far as warn their clients of attacks like these that are circulating in the wild, but ultimately the bank is not responsible for the user’s actions. Users must thus practice extreme caution by using only their clean bookmarks to visit their banks online. While we have yet to see samples of spam messages that contain links to the malicious URL, the Trend Micro Smart Protection Network already blocks the malicious URL. Trend Micro users are thus safe from this phishing attack.