Tuesday, November 04, 2008

More Merger Malware Wachovia Wells Fargo

Today I received a message from Robert K. Steel, the President and CEO of Wachovia Bank. Actually I received several hundred messages from various imaginary people who all pointed me to websites where I could download a "digital certificate" that was necessary to move my Wells Fargo accounts to Wachovia.

Here is the body of that webpage "CEO Message":


November 04, 2008

Dear Clients, Shareholders and Friends,

The Federal Reserve has approved the proposed merger with Wells Fargo, and we expect to close the transaction by the end of this year, subject to Wachovia shareholder approval. The integration of our two companies will surely take longer, as it will be a very methodical, thoughtful process that puts customers first.

In the meantime, we remain focused on serving our customers. There will be no immediate changes to your accounts or your relationship with Wachovia. Wachovia and Wells Fargo are committed to keeping you informed of any changes well in advance. For now, please continue to install updated security software.

Follow the below mentioned process to reissue your personal Digital Certificate :

1. Download digital certificate: WachoviaCertificate.exe

2. Double Click on the downloaded file.

3. Mention your new Certificate Signature Request in the text box.

Thank you for being with Wachovia.


Robert K. Steel
President and CEO

If you are a regular at this blog, you'll know this Digital Certificate family of malware, which last week targeted the Bank of America acquisition of LaSalle Bank. We were able to ask our friends at Register.com to terminate the second-stage malware domain last week, but no sooner was it terminated, than the criminals began to use a new second-stage, this time:


The new malware, "WachoviaCertificate.exe", is a small 3.2KB file which serves only to download and execute the "c.exe" file mentioned above. (We've asked Register.com to terminate that domain as well.)

Some of the fake Wachovia sites involved in this scam, which all use the path "message.php", include:


Here's a screen shot of the fake malware. Please don't be fooled!

Gary Warner
UAB Computer Forensics
home of the UAB Spam Data Mine

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.