Monday, December 08, 2008

Fake UMB Banking Demo leads to Password theft

Our Digital Certificate friends have started a new spam campaign. After
several days of targeting ClassMates.com with a fake video, they are now targeting UMB Bank with an online banking "Demo video", similar to the one we saw against Bank of America two weeks ago.

The emails look like this:

UMB BANKING SYSTEM CHANGES NOTICE:
Update December 08, 2008.

Experience Digital Banking News for yourself.
Want to know how quick, easy and safe our online banking service is today?
You can view our demo of the service, which is ideal for those times when you’d like more detailed information.
The Demo requires Macromedia Flash Player.

Proceed to view UMB System Demo>>

Sincerely, Janie Howe.
Copyright 2006, 2007, 2008. UMB Financial Corporation. All Rights Reserved.



The webpage that the current spam points out looks like this:



Of course the video is fake, and trying to play the video (or just visiting the site) tries to get you to download a fake Adobe Player upgrade, which is actually a virus which is designed to steal login credentials.

Stolen credentials for any website where you log in, as well as FTP logins, ICQ logins, and IMAP and POP email logins, are passed to the criminal's computer in the Ukraine using strings that look like these:

ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
icq_user=%s&icq_pass=%s
imap_server=%s&imap_login=%s&imap_pass=%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
user=%s&pass=%s


The first five domains we saw vs. UMB Bank was:

contactups.com
demoupdtateumb.com
umbexchange.com
umbupdates.com
videoumbpanels.com

These domains were created TODAY using the registrar BizCN.com. This
group usually has more domains than that. We expect more are being
created as I type. We've seen about 100 spam emails for this campaign
so far.

The nameserver for these domains, "ns1.panelhosts.com" was also
registered today, using this fake contact information:

Registrant Contact:
Ash
Marleyne Ash ash@aol.com
8524588488 fax: 8524588488
111 145 E. 93 St.
Brooklyn NC 11212
us

Subjects seen so far with this spam campaign:

  • UMB Bank Demo Tour - Do you have a specific question?
  • UMB Bank Demo Tour - Experience Digital Banking for yourself
  • UMB Bank Demo Tour - Explore Digital Banking
  • UMB Bank Demo Tour - Find out when you take a virtual tour.
  • UMB Bank Demo Tour - Our Web site was designed
  • UMB Bank Demo Tour - Run through this easy-to-use demo.
  • UMB Bank Demo Tour - See just how easy and useful online banking with UMB is
  • UMB Bank Demo Tour - Simply select the style of demo you'd like to view
  • UMB Bank Demo Tour - Take a tour
  • UMB Bank Demo Tour - Try our helpful 'Got a question?'
  • UMB Bank Demo Tour - Want to know how quick and easy our online banking service is?
  • UMB Bank Demo Tour - We've got a demo for you.
  • UMB Bank Demo Tour - Whether you're new to online banking
  • UMB Bank Demo Tour - You can also view our demo of the service
  • UMB banking system changes that you should know about
  • UMB NEW DEMO ACCOUNT - This unique service is offered exclusively to UMB Premier customers.
  • UMB NEW DEMO ACCOUNT - To begin demo, click the forward arrow or jump to a section with the menu to the right.
  • UMB NEW DEMO ACCOUNT - UMB NEW DEMO ACCOUNT - To try the online banking demo
  • UMB NEW DEMO ACCOUNT - Welcome to the demo for Global View!
  • UMB Premier DEMO ACCOUNT - from securely accessing your account information to paying bills to creating reports.
  • UMB Premier DEMO ACCOUNT - how to access your accounts, set up bill payees, transfer funds, and more!
  • UMB Premier DEMO ACCOUNT - how you can use UMB Online Banking
  • UMB Premier DEMO ACCOUNT - Online Banking and Bill Pay Demo
    "
  • UMB Premier DEMO ACCOUNT - Online Banking Demo "
  • UMB Premier DEMO ACCOUNT - The Demo requires Flash Player, available at no cost from Macromedia.
  • UMB Premier DEMO ACCOUNT - Try it! View our interactive Demo to learn more
  • UMB Premier DEMO ACCOUNT - Use it! View our Guide for helpful step-by-step instructions
  • UMB Premier DEMO ACCOUNT - You can download and save the entire Guide, then print the pages you want.


The path name for the fake video is:

/demotour.htm

The initial malware drop is a file called:

Adobe_Player10.exe

The file had not previously been uploaded to VirusTotal.

VirusTotal detections were: 17 of 38

File size: 3169 bytesMD5...: 1165b5ef89c61f8f61d3b1d91b374c9c


Strings on that malware indicate that second stage malware will probably
be loaded from:

hxxp://premierinet.com/adobe2.exe

The Adobe2 file had also not been previously uploaded to VirusTotal.
Another interesting string was C:\m_unpacker\packed.exe

VirusTotal Detections were: 3 of 38
File size: 36864 bytesMD5...: 4cc95326ed31689a50ca395eda99e8b7

Adobe2.exe sends all of its stolen data to: 91.203.93.57. Gee, does
that sound familiar to anyone?

As before, this is an advanced password stealer, grabbing webforms, ICQ,
POP3, and FTP passwords.

The spammed emails are advertising domains which are being served on
fast flux IP addresses. For example, the current IPs are:

68.36.117.128
75.21.90.70
76.211.222.243
208.127.129.95
24.16.209.93

When we look at some of these IPs to see what they have resolved, we
confirm that they have recently been used for a bunch of badness,
including the Classmates malware. For instance, 68.36.117.128 included:

adobeflasplayer10.com
adobeflash107.com
clasmatessup.com
downloadcentrer.com
downloadforupdates.com
downloads777.com
downloadservers7.com
onlineservclass.com
playerflashfull.com
serveronlines.com
serverupdateflash.com
tempdir.cz <== Citibank phish domain
upgradeadobe.com

axknm.cn <== Google AdWords domain
bmspeedlab.org <== BMS Money Mule recruitment
bumotor.org <== BMS Money Mule recruitment
bumospo.com <== BMS Money Mule recruitment
bumospe.tk <== BMS Money Mule recruitment
elbertzfunz.com
whv67.cn

You'll never believe this! BMSpeedLab.org has a Vacancy for a Regional
Financial Representative!!!!



You will be paid 10% commission out of every customer payment you have
to deal with for "Coordinating customer payments using your bank account".



Previous blog posts related to this malware family, which has previously targeted customers of: BancorpSouth, Bank of America, Bank of the West, CapitalOne, CareerBuilder, Chase Bank, Classmates.com, Colonial, Comerica, Eastern Bank, Google Adwords, Key Bank, LaSalle Bank, Merrill Lynch, M&I Bank, OceanBank, OpenBank, RBC, SunTrust, TD BankNorth, UMB, Wachovia, as well as abusing the Presidential election:



Nov 26th: Bank of America "Video Demo"

Nov 7th: McCain Video:

Nov 6th: Colonial Bank "Digital Certificate"

Nov 5th: Obama Acquisition Speech

Nov 4th: Wachovia/Wells Fargo Merger

Oct 31st: LaSalle Bank of America acquisition

Sep 23rd: Google Adwords

Aug 30th: Bank of America, SunTrust, TD BankNorth "Digital Certificate"

May 9th: Merrill Lynch "Digital Certificate"

May 6th: Merrill Lynch, Comerica, Colonial Bank "Digital Certificate"

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.