Recently, phishers attempted to spread malware by means of a phishing site that spoofed a popular bank based in the USA. The bank serves customers who are government employees as well as veterans and their families.
After the credentials are entered to the phishing site that spoofed the login page of the bank, the phishing page stated that the bank was implementing a new login system. The page claimed that this system offered new features and would increase security on the user’s account. The phishing page also stated that the new system would make the online experience safer and more enjoyable for customers. To implement the changes, customers were prompted to download and run an update tool. However, the link provided, shown as “updatetool.exe”, contained a virus detected as Trojan.Webkit!html by Symantec Antivirus.
The phishing page also requested customers to update their account by providing their sensitive information to be able to use the new login system. This way, with the help of the phishing site, phishers intended to spread malware and also steal user information for financial again. A phishing attempt that contained a similar message was observed in earlier spam. To read more on the trend, please refer to “Users of Social Networking Websites Face Malware and Phishing Attacks”.
The domain name of the phishing URLs was registered in August 2010 and was created for malicious purposes. The domain name was also a typosquat of the bank, so customers may have entered the phishing site from typographical errors made while typing the legitimate Web site address in their browser.
The phishing sites pointed to several IP addresses that were located on servers across the globe. This typically occurs in fast-flux phishing Web sites that are difficult to be shut down. Several of the phishing URLs in this attack were generated by means of randomizing sub-domains. Below are some examples where the first sub-domain contains a randomized number:
hxxp://session1000355.*****.com/****/login.jsp/ [Domain name and brand name removed]
hxxp://session1000373. *****.com/****/login.jsp/ [Domain name and brand name removed]
This process of generating many phishing URLs is, in most cases, carried out automatically with the help of phishing toolkits. The domain name has been deleted and the phishing site is currently inactive. Nevertheless, users should be aware that other phishing sites similar to this could be encountered in the future.
Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s Web site directly into your browser’s address bar rather than following any link.
• Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.