Monday, June 01, 2009

Bank of America Digital Certificates - A New Generation of Phishing?

We've seen several attempts in the past for criminals to try to get your passwords by the social engineering trick of a "Digital Certificate". Beginning in today's spam we're seeing another round that seems more directed at existing users of the Bank of America Digital Certificate program. Previous Bank of America Digital Certificate scams were covered in this blog in our stories including: Banking Digital Certificate Malware in Spam, Bank of America Demo Account - DO NOT CLICK, and LaSalle acquisition by Bank of America spreads malware.



The current email warns that "The Digital Certificate for your Bank of America Direct online account has expired." and provides a link to a website to update the information. All of the links on the website shown below point to the real Bank of America Direct Digital Certificate program, except the "CONTINUE" button.



According to the WHOIS policy for .EU domains, I am not allowed to share with you in my blog the patently false registration information for the domain 1il1il1.eu.

You would have to WHOIS the information yourself from: www.eurid.eu, which is probably part of why criminals like .eu domains so much.

We actually received more than fifty copies of this new scam, with the earliest arriving May 29th at 9:30 AM. For most of them, several domains are used, and for some we have multiple copies, with fjtiili.com, hftiili.be, fgtsssa.com, and idfsre.com being the most popular among those we've seen in the spam:

lstrass.com
nfillil.net.sg
fjtiili.com
fgtsssa.co.uk
idfgtid.li
idfgtid.cz
idfsre.com
hftiili.be
fgtsssa.com

While this morning the emails began to say "The Digital Certificate for your Bank of America Direct online account has expired", versions before today read "We would like to inform you that we have released a new version of Bank of America Customer Form."

.be domains, like .eu domains, require you to visit the Registrar's website to reveal WHOIS details. According to www.dns.be, its not allowed for me to post information from their WHOIS database about hftiili.be here, so you would have to look that information up yourself:

Lookup WHOIS for hftiili.be.

I can make the observation that a friendlier WHOIS service for fjtiili.com, which follows the international standard of making WHOIS data publicly available, says that fjtiili.com was registered to bromleygilmoreur@yahoo.com which would be of interest to people who read the WHOIS information for hftiili.be, although I can't say why, lest the .be Domain Police come get me! The names do not match although the email addresses do.

Whether you place true information on the website or not, the website will attempt to infect your computer by downloading and attempting to run the file:

c:\Windows\9129837.exe

This malware, called by some AV products "spy-agent.bg".

The newest portion of the update, however, which varies from previous Digital Certificates that we've seen, is that the information is being verified before submission. The current login screen, shown here:



actually is using a complex login process, which includes verifying your credentials before accepting them, and encrypting the form content. The form is submitted using "x-www-form-encoded" as its methodology, and contacting Verisign via "pilotonsite.verisign.com/cgi-bin/crs.exe" as part of its authorization process. If Verisign doesn't agree that you are a valid Digital Certificate user, the phisher doesn't have to bother storing your credentials - but he'll still infect your computer with his keylogging software, just in case.

One of my students, a UAB Malware Analyst, is currently reviewing the malware. We'll have more information about it shortly and will update this post then.

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!