Compromised website used in Bank of America phish

Billing Verification icon

In malware analysis, it is quite common to come across attacks that you quite simply cannot believe could really work. I quite often find myself asking the question how anyone could actually fall victim to that? Yesterday, one of my colleagues was analyzing a banking Trojan that provided just such a case.

The Trojan appears to have been spammed out to users in email messages masquerading as notifications from the Bank of America. The Trojan is attached to the message using the filename BillingVerification.exe. Not the most subtle entrance in the world, but there we go.

Recipients who fall for the social engineering and double click the attachment will unleash its sophisticated payload. Mmm, well, let’s just say it runs. The file is actually a self-extracting archive that drops a HTML file to disk, which is opened in the user’s default browser. The page is a spoofed Bank of America account verification page. As you can see, the web page is loaded from the local disk (the C:\bankofamerica\verification\BillingVerification.html path is hardcoded in the executable dropped).

It is not hard to distinguish this from legitimate connections to the secure Bank of America site. Pretty much all modern browsers add quite obvious visual indications of a trusted connection.

The phish form prompts the user for all sorts of personal information including full name and address, date of birth, social security number, credit card details and ATM pin. Unfortunately, completing this information and clicking submit, will send all the details off to a remote website.

Further Investigation

Investigating the remote site further, it was apparent that the form-harvesting script is being hosted within a legitimate site. Furthermore, the host directory (the ‘images’ folder) is poorly configured, with directory browsing enabled. So anyone can view the contents of the folder, which includes a log of the credentials successfully harvested thus far.

And there it is, a warning to us all. Even the lamest of attacks will often find success, tricking unwitting recipients into falling for the social engineering. The result is that they risk infecting themselves, as well as giving away sensitive data.

We have contacted the relevant people and are taking steps to close down this attack. In the meantime, don’t let yourself fall victim to this type of scam, and if you manage a website, don’t let your resources become embroiled in illegal activity.

There are many resources available to educate users. A good place to start might be to involve yourself in Safer Internet Day 2011.