For the longest time now, Brazilian banking Web sites have been one of the favorite targets of malware criminals for stealing sensitive banking information from users. These spyware Trojans are usually coupled with spam emails with various, and quite clever, social engineering techniques to trick users into divulging such data. From the latest headlines to the sly imitation of legitimate Web sites, these BANKER authors never seem to run out of sneaky tactics for duping the Internet user.
One of the latest variants we’ve seen recently uses spam emails that supposedly came from one of Brazil’s Public Ministry offices. The said email is a fake notice of hearing letter, summoning the recipient to appear in the office of the attorney general for an investigation procedure.
The attached file is a RAR archive, which when opened, leads to the download of the files OUT.JPG and WDFMGR.JPG. Based on the extension names, these files appear to be image files, but in actuality they are malicious executable files, which Trend Micro detects as TSPY_BANKER.GRX. This spyware steals sensitive information when a user accesses PayPal and other online banking Web sites. It does this by recreating the legitimate Web sites with a spoofed login page if a user visits banking sites with the following strings in the title bar:
- Nossa Caixa
- Pay – Microsoft Internet Explorer
Based on analysis, the spoofed login page overlaps the legitimate login area of the legitimate Web site, thus tricking the user into thinking that it is part of the IE window. The spoofed login page is located in a fixed area of the legitimate Web site. It steals information by logging keystrokes entered by the user in the user name and password fields of the spoofed login page. The gathered data is then sent back to the malicious author via email.
TSPY_BANKER.GRX is also able to send out spam messages. But instead of an email like the one above, this time it sends out a fake e-card that contains a link where it downloads other banker spyware, such as TROJ_BANLOAD.EKG. The spam emails may contain any of the following subject lines:
- Lembrei de VocÃª
- Ã‰ sÃ³ um simples cartÃ£o
- Queria muito que vocÃª desse uma Olhadinha.
- Eu mesmo que preparei.
Here’s a sample e-card that it sends out:
To date, data theft reached an all-time high of 342 in the breach meter, growing to 69% in Q2 2008, according to Identity Theft Resource Center (ITRC). Of that number, 80.7% account for electronic data breaches, such as this one. Unless people learn to be more alert and attentive to information theft attacks and unless they learn to properly use security software to safeguard their systems, this number will continue to rise for the rest of 2008.