Tuesday, May 06, 2008

Digital Certificate Alert!

UAB Computer Forensics is investigating yet another "Digital Certificate" phishing attack -- this time with Merrill Lynch as the target.

The traditional definition of phishing requires the website that the customer visits to request personal information, such as the userid and password to an online account, or credit card or bank account information. In this case, no personally identifiable information is requested. Instead, the emails and the destination website tell the potential victim that Digital Certificates will make their online financial experiences safer. This rings true with consumers, who are certain to have heard about the advantages of certificates, especially as the "Extended Validation Certificates" (the ones that turn your browser address bar green if you are on a real site?) are increasingly proclaimed by companies like DigiCert,
Verisign,
and Thawte to be the Next Big Thing in security.

It is this increased consumer awareness that is leading to the current rounds of victimization. In this scheme, the consumer receives an email, informing him that his financial accounts will be more secure if they upgrade to digital certificates, or that their current digital certificate has expired and needs to be upgraded. If they follow the link, they are taken to a website where they receive more information about the importance of the upgrade, and are given instructions to "install" their digital certificate, with a link to download the installation program.

The installation program is of course a virus. The first Digital Certificate malware we investigated, against Bank of America, ended in early April, but the new round, which includes Comerica Bank, Colonial Bank, and now Merrill Lynch, is still going strong, with Comerica being a nearly daily target with more than 250 domain names used in the fraud. Colonial Bank has only been targeted on two days, with 22 domain names used, and now Merrill Lynch, which launched yesterday with the domain names

1291logon.info and 1291logon.com

(I confirmed that both websites were taken offline before publishing this article.)

The Merrill Lynch version of the Malware is called "Papras.dk" by most of the anti-virus programs that detect it. The first version of the Colonial Bank trojan was called "Papras.dh", and the first version of the Comerica Bank trojan that we looked at was called "Papras.dc". More evidence that these are originating from a common source.

As with most emerging threats, common anti-virus products are not immediately blocking the threat. For instance, F-Prot, McAfee, and Symantec, do not show on VirusTotal as having detection for this threat. McAfee engineers have previously complained to me that VirusTotal is not an accurate way of knowing whether they have detection. I run McAfee on my own work desktop though, (for balance, I run Symantec at home), and when I do an AV update (to DAT version 5289.0000, dated May 6 2008), and then scan the file, it does not detect.

The sad part about the failure of common AV engines to detect this virus is that this file is a BINARY IDENTICAL MATCH for the Colonial Bank version of the trojan that we analyzed and reported on April 30. One week later, and the two largest AV companies still have no detection.


The current email looks like this:




MERRILL LYNCH BUSINESS CENTER IS CHANGING

Merrill Lynch develops new solutions that deliver instant,
comprehensive online banking and protection against evolving
computer security threats.

Dear Merrill Lynch Business Center Customer:

In an effort to better serve you, the following changes to the
daily processing procedures will go into effect on Tuesday, May 6th:
We’ll be launching new ml.com Business Centre homepage

In addition to a fresh look, the new Merrill Lynch website will provide:
-VIP CLUB
-Easier access to login
-Easier ways to contact and locate us
-Access to more information on what we offer and what we do Online
Please discover new Business Centre homepage now:
Continue>>

Copyright 2008 Merrill Lynch & Co., Inc.




And the website that it pointed us to looked like this:



Now, put on your Sherlocke Holmes hat and try this one yourselves. Can you detect any similarities with this email?




Comerica TM Connect Web Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert & Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date - 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten
days and 3 hours before the certificate is due to expire, if it has not been renewed.
Upon receiving the renewal notice, certificate owner is required to connect to
Comerica Bank Certificate Management System and present the client certificate.
Secure Server e-Cert & Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date.
Successful renewed application will receive an email notification from Comerica Bank.
Applicant can just browse to the URL stated in the email and then download the certificate.

Download now>>

2008 Comerica Treasury Management Connect Web (SM) Version 4.2




How about this email?




Connection-Colonial Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert & Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date - 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten
days and 3 hours before the certificate is due to expire, if it has not been renewed.
Upon receiving the renewal notice, certificate owner is required to connect to
Colonial Bank Certificate Management System and present the client certificate.
Secure Server e-Cert & Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date.
Successful renewed application will receive an email notification from Colonial Bank.
Applicant can just browse to the URL stated in the email and then download the certificate.

Download now>>

2003 Colonial Bank, N.A.


No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.