Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Today, we saw a malware variant created with the well-known ZeuS toolkit that seems to be targeting members of the U.S. military serving overseas. Targets of this scam will receive an email with the following text:

    Dear Bank of America Military Bank customer:

    This letter is to inform you that there is an update required for your Bank of America Military Bank Account, for this reason your account has been flagged.

    In order to update your account, please follow this link.

    Thank you for banking with us!

    Bank of America Military Bank accounts support.

    Should the recipients click the link, they will be brought to a page that is almost identical to the real login page of the bank. However, this fake login page is actually hosted in Russia.

    Click for larger view

    As you can see from our screenshot, the actual user name and password entered by the victim is irrelevant, as whatever combination the user enters brings him/her to a page hosting Update Tool, which must be installed onto his/her system to ensure that his/her account is not locked.

    Click for larger view

    Needless to say UpdateTool.exe is a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BIZ. Unfortunately, most people who fall for this scam will not even be given the opportunity to manually download the executable file, as this attack first runs a whole suite of browser exploits on the target systems first. This leaves manually downloading the file as a last-resort attack vector.

    This is not the first time that the users of the Military Bank have been targeted. In fact, similar campaigns have been spotted in 2007 and even earlier. However, those attacks were in an era before incidents like the recent Windows shortcut vulnerability and the Aurora attack. Nowadays, we have to wonder if the motives behind this attack are purely financial or if the attackers are deliberately targeting U.S. military personnel.

    Interestingly, we saw a very similar attack to the one described above last year. At that time, it used a fake Facebook login page as bait. However, it also used a file called UpdateTool.exe and told users they needed to install it to access their accounts, which was also a ZeuS variant. All of these show that perhaps the same gang is behind the current wave of attacks.

    Click for larger view Click for larger view

    Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from such an attack via the Web reputation service, which blocks access to the fake login page, and file reputation service, which detects and prevents the execution of UpdateTool.exe aka TSPY_ZBOT.BIZ.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice