We just discovered a new Web threat affecting Mexican online banking users, specifically those with a Banco Bilbao Vizcaya Argentaria (BBVA) account. It starts with a well crafted email supposedly sent from El Universal newspaper, claiming the death of Mexican pop star Luis Miguel in a car accident on a local highway, encouraging users to download the tragic video and images. The news is of course, bogus, as the Mexican pop star is still alive and well.

Below is a screenshot of an email sample:

Figure 1. Sample of email claiming ‘death’ of Mexican pop star

Once the user clicks on the link hxxp://www. {BLOCKED}design.com/inside/noticias/actualidad/iniciarvideo.php, the file camaraprivada.exe, which is detected as WORM_MPLAYAH.A, is downloaded to the local desktop and when opened launches a new browser window and connects directly to the El Universal valid homepage.

This may seem like non-malicious behavior, but upon closer inspection of the affected system, there is actually a noticeable change in the HOSTS file:

• {BLOCKED}.{BLOCKED}.5.234 bancomer.com
• {BLOCKED}.{BLOCKED}.5.234 bancomer.com.mx
• {BLOCKED}.{BLOCKED}.5.234 bbva.com
• {BLOCKED}.{BLOCKED}.5.234 bbva.com.mx
• {BLOCKED}.{BLOCKED}.5.234 hxxp://bancomer.com
• {BLOCKED}.{BLOCKED}.5.234 hxxp://bancomer.com.mx
• {BLOCKED}.{BLOCKED}.5.234 hxxp://bbva.com
• {BLOCKED}.{BLOCKED}.5.234 hxxp://bbva.com.mx
• {BLOCKED}.{BLOCKED}.5.234 hxxp://www.bancomer.com
• {BLOCKED}.{BLOCKED}.5.234 hxxp://www.bancomer.com.mx
• {BLOCKED}.{BLOCKED}.5.234 hxxp://www.bbva.com
• {BLOCKED}.{BLOCKED}.5.234 hxxp://www.bbva.com.mx
• {BLOCKED}.{BLOCKED}.5.234 www.bancomer.com
• {BLOCKED}.{BLOCKED}.5.234 www.bancomer.com.mx
• {BLOCKED}.{BLOCKED}.5.234 www.bbva.com
• {BLOCKED}.{BLOCKED}.5.234 www.bbva.com.mx

The abovementioned strings added to the HOSTS file causes a redirection to a remote IP address when the user attempts to connect to a BBVA website. Every single request to BBVA online bank will be redirected to a phishing page crafted to look like the legitimate BBVA website. The user is then asked to enter their account number, transference code and password, due to a supposed ‘server maintenance.’ After that, the phishing attack is completed.

Figure 2. Screenshot of BBVA online banking service phishing site

The source IP addresses that hosts the phishing site is found located in Kentucky, and is already blocked.

Figure 3. Source IP in Kentucky, mapped

This attack is a classic example of regional attacks – threats specially crafted to victimize people within a certain region. Just weeks ago, Germany and Japan were both victimized by malware-rigged spam and a phishing attack respectively. It also banks on the popularity of a celebrity, something that we’ve seen in numerous spam runs as well:

• Gimme More… Malware
• The Malware-Gossip Duo
• When Spam Promises the Stars
• ‘Angelina Jolie Nude Movie’ Spam
• Paris Hilton Hits the Rogue AV Scene

Once again, social engineering ignites a regional attack, but Trend Micro´s Smart Protection Network proves to be the best of breed protection for our customers.