Today, we saw a malware variant created with the well-known ZeuS toolkit that seems to be targeting members of the U.S. military serving overseas. Targets of this scam will receive an email with the following text:
Dear Bank of America Military Bank customer:
This letter is to inform you that there is an update required for your Bank of America Military Bank Account, for this reason your account has been flagged.
In order to update your account, please follow this link.
Thank you for banking with us!
Bank of America Military Bank accounts support.
Should the recipients click the link, they will be brought to a page that is almost identical to the real login page of the bank. However, this fake login page is actually hosted in Russia.
As you can see from our screenshot, the actual user name and password entered by the victim is irrelevant, as whatever combination the user enters brings him/her to a page hosting Update Tool, which must be installed onto his/her system to ensure that his/her account is not locked.
Needless to say UpdateTool.exe is a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BIZ. Unfortunately, most people who fall for this scam will not even be given the opportunity to manually download the executable file, as this attack first runs a whole suite of browser exploits on the target systems first. This leaves manually downloading the file as a last-resort attack vector.
This is not the first time that the users of the Military Bank have been targeted. In fact, similar campaigns have been spotted in 2007 and even earlier. However, those attacks were in an era before incidents like the recent Windows shortcut vulnerability and the Aurora attack. Nowadays, we have to wonder if the motives behind this attack are purely financial or if the attackers are deliberately targeting U.S. military personnel.
Interestingly, we saw a very similar attack to the one described above last year. At that time, it used a fake Facebook login page as bait. However, it also used a file called UpdateTool.exe and told users they needed to install it to access their accounts, which was also a ZeuS variant. All of these show that perhaps the same gang is behind the current wave of attacks.
Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from such an attack via the Web reputation service, which blocks access to the fake login page, and file reputation service, which detects and prevents the execution of UpdateTool.exe aka TSPY_ZBOT.BIZ.