This has been a season of malicious attacks, starting last month when we informed users about an increase in spam containing malware. Coincidentally, we are seeing different methods of luring or scaring recipients to download malicious programs. In the past few weeks we reported spam attacks with malicious links that included MJ’s leaked song spam attack and the hunting the airplane game. In this recently monitored attack, we observed a typical phishing email that encourages users to click and download executable files.
Sample image of the message:
As shown in the above image, a fake FDIC alert warns users of a bank failure. This message tries to convince users to visit the official FDIC website and check their deposit insurance coverage. Malware campaigners have provided steps in the message to be performed by the recipients to rectify the situation. First to click the URL provided in the message, and then download and open their personal insurance file from the malicious website. It is quite obvious that the downloadable file is unsafe and should not be executed.
Subject lines used in this spam campaign are as follows:
you need to check your Bank Deposit Insurance Coverage
FDIC alert: check your Bank Deposit Insurance Coverage
FDIC has officially named your bank a failed bank
Sample Image of the malicious website:
This malicious website (designed to look like a legitimate FDIC website) gives users an option of downloading a personal FDIC insurance file either in PDF or Word format, which ultimately downloads a “PDF.exe” or “Word.exe” file. Symantec antivirus detects these files as Packed.Generic.261, which is a heuristic detection for a packer used by the Infostealer.Banker.C threat family. Infostealer.Banker.C is a Trojan that may steal sensitive information from the compromised computer.
Users should not click on any hyperlinks provided in an unsolicited message because most legitimate financial institutions avoid providing links in their messages. However, if users want to verify information, we recommend that they manually type in the legitimate website address in the Internet browser.