Spammed email messages supposedly from The United States Federal Reserve Bank warn their recipients of a “large-scale phishing attack” affecting several banks and credit unions. A spammed message may look like this:
Figure 1. Sample spammed message.
The email message gives details on the supposed phishing attack and adds that the US Treasury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies.
The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation.
Trend Micro engineers are currently investigating this threat. We will post updates as soon as more information becomes available. Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:
- ‘Treasury Optimizer’ Updates Systems With Malware
- Storm Goes Economic
- Fake IRS Web Sites Found (Again)
Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information.
Updates as of November 11, 2008 6PM PST: Users who unfortunately click on the links in the spam infect their PCs with TROJ_INJECT.DG. This Trojan restarts systems and drops TROJ_INJECT.KQ. TROJ_INJECT.KQ opens a hiddend Internet Explorer window and connects to a certain website to send and receive information.
Updates as of November 13, 2008 2AM PST: TROJ_INJECT.KQ opens a hidden Internet Explorer window to connect to a certain website. It sends to and receives information from this site, compromising system security.