Tuesday, October 20, 2009

TowerNet CapitalOne: Avalanche returns after 15 monthsOne

The Avalanche Botnet, which has been spamming phishing pages, and most recently the IRS Zeus campaign, has returned to traditional phishing. The UAB Spam Data Mine has received hundreds of samples today with subjects like this:

Download and install digital certificate
Enhancements: New Release
How to install digital certificate
Install Digital certificate
Install Digital Certificate software
Obtain Digital Certificate
Pick Up and Install Digital Certificate
Please install digital certificate software
Please read this important information concerning your privacy
Please Read: This Document Contains Important Information
This Document Contains Important Information



Advertised websites in this target group include:

towernet.capitalonebank.com.racder1c.net
towernet.capitalonebank.com.racder1x.com
towernet.capitalonebank.com.raeder1f.net
towernet.capitalonebank.com.rarder1g.com
towernet.capitalonebank.com.raxsder1.net
towernet.capitalonebank.com.rzasder1.com
towernet.capitalonebank.com.t1fliil.com
towernet.capitalonebank.com.t1fliil.net
towernet.capitalonebank.com.t1fliil.tc
towernet.capitalonebank.com.yyy1yyrd.co.uk
towernet.capitalonebank.com.yyy1yyre.co.uk
towernet.capitalonebank.com.yyy1yyrf.co.uk
towernet.capitalonebank.com.yyy1yyrg.co.uk
towernet.capitalonebank.com.yyy1yyrj.co.uk
towernet.capitalonebank.com.yyy1yyrk.co.uk
towernet.capitalonebank.com.yyy1yyrl.co.uk
towernet.capitalonebank.com.yyy1yyrm.co.uk
towernet.capitalonebank.com.yyy1yyro.co.uk
towernet.capitalonebank.com.yyy1yyrq.co.uk
towernet.capitalonebank.com.yyy1yyrr.co.uk
towernet.capitalonebank.com.yyy1yyrs.co.uk
towernet.capitalonebank.com.yyy1yyru.co.uk
towernet.capitalonebank.com.yyy1yyrv.co.uk
towernet.capitalonebank.com.yyy1yyrx.co.uk


The October 2009 Email



Dear Capital One TowerNetSM or Treasury Optimizer user,

As part of the new terms and conditions of the Data Access Agreement between your organization and the Capital One, your organization will be given a Digital Certificate.

Because of the private nature of the client data, worldwide access via Web to that data, and the potential for fraud, the system must be certain of user identity and authorization. Capital One online banking services use two security mechanisms:
1. Customer & User Codes and passwords to identify users; and
2. Digital certificates to ensure that the user is access the business services through a valid computer, in a trusted organization.

Each registered user must have the Capital One's digital certificate installed on his or her machine in order to access online banking services.

To pickup and install your Digital Certificate, please visit:

http://towernet.capitalonebank.com/capitaloneid/usersdir/formpage.aspx/index.php?em=mymail@mydomain.com&id=703121513513613724734835496595606706767090

Please do not respond to this message as it is generated automatically.


Thank you for choosing Capital One!

DO NOT REPLY TO THIS MESSAGE
To protect your privacy, this e-mail box is not equipped to handle replies. If you have any questions, please use the secure messaging options available through Online Banking or contact Customer Service at 1-877-442-3764.

This e-mail is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please contact Customer Service at 1-877-442-3764 immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.

NOTICE ABOUT SERVICING E-MAILS
This e-mail contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

You may receive customer service e-mails even if you have requested not to receive e-mail marketing offers from Capital One.

Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. You can view our privacy policy and contact information at www.capitalone.com. This e-mail relates to financial services offered by the Capital One family of companies, including Capital One Bank (USA), N.A. and Capital One, N.A., members FDIC. ©2009 Capital One.
Capital One is a federally registered service mark. All rights reserved.



The information contained in this e-mail is confidential and/or proprietary
to Capital One and/or its affiliates. The information transmitted herewith
is intended only for use by the individual or entity to which it is
addressed. If the reader of this message is not the intended recipient,
you are hereby notified that any review, retransmission, dissemination,
distribution, copying or other use of, or taking of any action in reliance
upon this information is strictly prohibited. If you have received this
communication in error, please contact the sender and delete the material
from your computer.


A quick check in our spam data mine showed that we had many messages from July 9th to July 23rd, 2008 that looked very similar:

towernet.capitalonebank.com.mj.org.kg
towernet.capitalonebank.com.srv1.com.es
towernet.capitalonebank.com.mem.org.kg
towernet.capitalonebank.com.srv1.com.es
towernet.capitalonebank.com.srv2.com.es
towernet.capitalonebank.com.whymangame.org.es
towernet.capitalonebank.com.simongrog.com.es
towernet.capitalonebank.com.serversid.co.uk




The July 2008 Email



In July of 2008, the spam messages didn't actually take customers to a phishing page, but rather to a "Digital Certificate page". Now we have spam that is claiming to be a Digital Certificate, but actually just seems to be a phish. Some of the Summer of 2008 Digital Certificate domains targeting Capital One included:

dexoim.com
jimmedy.com
jioece.com
jioeres.com
klainey.com
maginele.com
mkeiop.com
niytec.com
nnerdix.com
poemils.com


Note: This is a service message regarding TowerNET Form.

Dear customer:

As part of the new security measures, all Capital One Bank business customers (including all former customers of North Fork bank) are required to complete TowerNET Form (or Treasury Optimizer Form). Please complete the form as soon as possible.

To select your form please click on the following link:

http://towernet.capitalonebank.com/onlineform/IDslcertificatedlls/userdirectory/stack/comdir/userform.aspx?ID=2987123067912365091827359023&refer=23987529

Thank you for being a valued customer.

Sincerely,

Online Banking Team

0x4685 create tmp QH3M X1Z end F1W6 XJKV exe XVRO. start: 0x6, 0x5609, 0x4 97925705631835442299918536989 0x67430426, 0x206, 0x3, 0x392 0x67, 0x988 0x2, 0x23, 0x01703069, 0x1, 0x4856 YTU: 0x0763, 0x43816681, 0x5182, 0x831, 0x99970266 IW8D: 0x6947, 0x4267, 0x07, 0x01751563, 0x9651, 0x373, 0x44043375, 0x5, 0x342, 0x5, 0x6101, 0x99, 0x0223, 0x58, 0x199 GJY: 0x1992, 0x78, 0x5, 0x348, 0x56, 0x409, 0x4538, 0x9683, 0x89015643, 0x44, 0x746, 0x03185899, 0x9, 0x3

end: 0x8, 0x2234, 0x8, 0x436, 0x07, 0x53322197, 0x2873, 0x41, 0x114, 0x6, 0x87, 0x7065, 0x74627088 media: 0x5 api: 0x264, 0x871, 0x9589 OT5 2IUL 0x7916, 0x2898, 0x320, 0x67922853, 0x0113, 0x4701, 0x7559, 0x8186, 0x5, 0x5639, 0x74679667, 0x4 920911942973 0x595 BDLA WH2. 0x4673, 0x16778534, 0x0, 0x9845, 0x423 QV1: 0x20765394, 0x9, 0x22851093, 0x0, 0x3, 0x53759855, 0x726, 0x8, 0x66030524 0x96413662, 0x7, 0x5

serv: 0x139, 0x5, 0x710, 0x871, 0x054, 0x6709, 0x037, 0x2, 0x6621, 0x02753076, 0x18651692, 0x5760, 0x881, 0x6691 0x43852370, 0x7292, 0x7, 0x0, 0x9 6U4: 0x25193089, 0x84976848, 0x6, 0x944, 0x350, 0x94990755, 0x3528, 0x51 YXO: 0x36, 0x50, 0x774, 0x64, 0x40539047, 0x89 578, file. 0x96291281, 0x24, 0x907, 0x0123, 0x3, 0x50, 0x0007, 0x1, 0x38693923, 0x5745, 0x39770877 4XFD: 0x50, 0x5, 0x76148701, 0x500, 0x77686479, 0x7463, 0x73962606, 0x51 0x24, 0x01601735, 0x3, 0x82, 0x54, 0x03, 0x2175, 0x57, 0x61 hex X5I9 exe 9AI api start. dec: 0x97, 0x0, 0x615, 0x3, 0x80455440, 0x25, 0x1, 0x61, 0x6, 0x69, 0x14, 0x61152270, 0x18, 0x33 9629819832066915873

45514408333619487641751706301863961 cvs: 0x85, 0x896, 0x95342281, 0x04 stack: 0x53, 0x71382978, 0x708, 0x0, 0x1, 0x9, 0x338, 0x265 D4HL: 0x61307749, 0x865, 0x647, 0x2002, 0x2, 0x1, 0x87, 0x22, 0x0561, 0x4, 0x31, 0x08


We actually ALSO saw this as "Rock Phish" back in April 2006 -

http://session421087.towernet.capitalonebank.com.kigrt.jp/customerservice/formpage
http://session6152365674.towernet.capitalonebank.com.kigrt.jp/customerservice/

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.