Infected Phish targeting Commonwealth Bank of Australia

Filed Under: Phishing, SophosLabs, Spam

Infected Phish
This week we've seen more phishing spam targeting the Commonwealth Bank of Australia, an institution that many scammers have aimed at in the past.

The emails have a subject of "Update your Commonwealth Bank" and look like this:

Commonwealth Phish

The text is standard scaremongering. Opening with "Customer ID : 000-5432-654386-PSI" does make the email look more official, and presumably relies on the fact that most customers don't remember their own personal number. Of course it looks a lot less official in the lines that follow; no bank will ever say "This e-mail is to inform you that your account will be suspended within 48 hours due to your Account Inactivity. You will have to confirm certain Account Information in order to continue your account subscription".

The "Verify My Account Information" link points to a file on a free web hosting domain in the Christmas Islands, http://<removed>.cx/CommBank.scr, and this is the main phishing Trojan. Don't forget, .scr is just another executable file extension, as is .pif - it might as well say CommBank.exe.

The main point of the Trojan is actually very simple - it drops two files to the <System>\drives\etc folder, "pic.url" and "hosts". The first file launches a browser session pointing at phishing page, a clone of the real bank's login. The second file overwrites the local HOSTS file, redirecting all traffic for commbank.com or commbank.com.au on the infected computer to an IP address hosting another phishing page. Unsuspecting customers enter their details, the bad guys steal them.

However the bad guys really need to check their own computers, as the Trojan has itself been infected with the file-infecting virus W32/Sality-AM. I'd say it's unlikely this is a deliberate measure, as we've seen uninfected variants of this phishing Trojan in the past (which we detect as Mal/RarHosts-A), and anyway the Sality doesn't so much hide the Trojan as paint it in bright colours, making it even easier to spot and to block.

While I won't be losing any sleep that a malware author has managed to get himself infected, it's a good reminder to keep your antivirus software up to date.

Image source: tibchris' Flickr photostream (Creative Commons 2.0)

, , , , , , , ,

You might like

One Response to Infected Phish targeting Commonwealth Bank of Australia

  1. Luis Alicea · 1052 days ago

    I cannot understand how people believe in unknown people, received emails from a country they have never visited or known. If the Mac store just a few steps from their home do not give for free a small fries and soda, how the headquarters far away can do this "sweepstakes" without a TV ad?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s