The emails have a subject of “Update your Commonwealth Bank” and look like this:
The text is standard scaremongering. Opening with “Customer ID : 000-5432-654386-PSI” does make the email look more official, and presumably relies on the fact that most customers don’t remember their own personal number. Of course it looks a lot less official in the lines that follow; no bank will ever say “This e-mail is to inform you that your account will be suspended within 48 hours due to your Account Inactivity. You will have to confirm certain Account Information in order to continue your account subscription”.
The “Verify My Account Information” link points to a file on a free web hosting domain in the Christmas Islands, http://<removed>.cx/CommBank.scr, and this is the main phishing Trojan. Don’t forget, .scr is just another executable file extension, as is .pif – it might as well say CommBank.exe.
The main point of the Trojan is actually very simple – it drops two files to the <System>\drives\etc folder, “pic.url” and “hosts”. The first file launches a browser session pointing at phishing page, a clone of the real bank’s login. The second file overwrites the local HOSTS file, redirecting all traffic for commbank.com or commbank.com.au on the infected computer to an IP address hosting another phishing page. Unsuspecting customers enter their details, the bad guys steal them.
However the bad guys really need to check their own computers, as the Trojan has itself been infected with the file-infecting virus W32/Sality-AM. I’d say it’s unlikely this is a deliberate measure, as we’ve seen uninfected variants of this phishing Trojan in the past (which we detect as Mal/RarHosts-A), and anyway the Sality doesn’t so much hide the Trojan as paint it in bright colours, making it even easier to spot and to block.
While I won’t be losing any sleep that a malware author has managed to get himself infected, it’s a good reminder to keep your antivirus software up to date.
Image source: tibchris’ Flickr photostream (Creative Commons 2.0)