Sunday banking Trojan blues

Considering the current financial crisis which makes lots of banks, especially in UK, less popular than a year ago I was hoping that the number of banking Trojans would also be on a decrease. Although it is true that traditional banking Trojans are giving way to more sophisticated malware an example seen in our spam trap today shows that they are not yet extinct.

The banking trojan, detected by Sophos products as Troj/Banker-EPK arrived in a spam campaign with emails containing an image area linking to an alleged one-time password token software.

Phishing email

Once the fake security token software is launched, the Trojan, written in Delphi as so many other Brazilian banking Trojans, displays a window asking the user to enter their account details. A simple software wizard assures that after three steps all the account details are submitted to a web site owned by the attacker. The website home page contains a simple redirect to the real Brazilian Caixa homepage.

It is interesting that the website was used for another phishing campaign in January when we chose not to add it to the list of pages blocked by Sophos Web Security Appliance as there was no indication that the site was setup by the phishing group. The second time all is clear. A month later, the URL hard-coded in the banking Trojan combined with the content of the page made me certain that the site needs to be blocked to prevent further exploitation by the attacker.