Even in an otherwise quiet Saturday there are several phishing campaigns worth mentioning. The first is a campaign targeting Abbey UK bank. This is a standard but well orchestrated and sustained spamming using several newly created domains. A botnet (or few) is used to send emails that vary both the Abbby owned domain name and the domain name used in phishing.
The second campaign targets the insurance site of the Brazilian Bradesco bank. Emails use the bank’s secure authentication token software upgrade as an excuse for luring the user to download and run an executable hosted on a web page setup by the attacker.
The Portugese text of the email translates to:
Please be advised that since 14/06/2007, the use of Key Security Bradesco – Electronics for access to Bradesco Net Company has become mandatory.
Since the date 25/03/2008 the system of identification of Bradesco Net Company has been updated to version 2.2.25 to better interact with the current security system.
Please be advised that to continue visiting the Bradesco Net Company you will have to upgrade this component.
To perform the upgrade just click one of the options below and then click download and soon after a run wait a few seconds and follow the installation instructions.
The executable, proactively detected by Sophos as Mal/DelpDldr-D downloads another executable – a banking Trojan detected proactively as Mal/Banspy-I. The Trojan installs itself in to spy on the user’s banking transaction using a man in the middle attack. As the final step the executable file detected as Mal/Banspy-I downloads the last executable detected proactively as Mal/EncPk-CU. Relatively comples attack that will (luckily) cause no problems for Sophos users as our proactive detection kicks in very early in this infection cascade. This is also a very good news for us in the lab as we can use the quiet Saturday to work on further improving our proactive protection.