Financial crisis or no financial crisis, banks have emerged as social engineering standards. However, as floundering financial institutions take centerstage in the public’s consciousness, users may become more susceptible to banking-related ploys.
Less than a week ago, TrendLabs reported on a scheme targeting Wachovia, the fourth largest banking chain in the US. This time, an almost identical plot has been set using Merrill Lynch as bait. The storied firm has received a sizable amount of media attention lately due to its high-profile bailout by the Bank of America.
The spam email message may appear as such:
Figure 1. Fake Merrill Lynch spam
While those on social engineering watch may expect a frenzied appeal to buck up security in the face of the financial crisis, this scheme actually comes off cool and collected.
Trend Micro Advanced Threats Researcher Ivan Macalintal notes the use of very long, legitimate-looking URLs contained in hyperlinks on the spammed email messages. “[We] haven’t seen this for quite some time. [It] looks legit in a way but [then], you have to dig deeper,” Ivan says.
Clicking on the links will result in the download of malware detected as BKDR_AGENT.AWAF. It compromises system security, possibly allowing a remote user to issue commands on the affected system. It also drops TROJ_ROOTKIT.FX which has rootkit capabilities, used to hide malicious files and processes to ensure memory residency. One may remember TROJ_ROOTKIT.FX as the same malware found in the recent Wachovia spam, denoting that this is possibly the working of the same malware author.