The newsworthy portion of this scam is the fact that it preys on the uncertainty of banking customers involved in a merger. The FDIC's Sandra Thompson issued a memo on October 28th addressing exactly that point. Thompson's warning was to be on the alert for phishing scams targeting "financial institutions involved in high-profile mergers, acquisitions or failures."
Here's a sample of the LaSalle/Bank of America email:
LaSalle Bank Consumers Warning:
Please be advised that we cannot guarantee the confidentiality of not protected information.
Therefore, we strongly encourage you to update your system.
New Bank of America x.509 privacy certificate for LaSalle Bank consumers can be downloaded from our customer service department.
Proceed to customer service department>>.
LaSalle Bank and Bank of America will not be responsible for any damages, if you ignore this warning.
Sincerely, Keith Landers.
2008 LaSalle Bank and Bank of America Community.
The "Sincerely" name is random and is unique in each of the several hundred sample emails that we've received so far.
The destination website points to a page that looks like this:
and which tries to download an executable malware program. This tiny program, called "LaSalleSetup.exe" is merely the "dropper" which downloads additional malware, but its still troubling how few anti-virus products will actually stop it from running. At this timestamp, only 15 of the 36 Anti-virus products at VirusTotal detected this dropper as being malware, and neither McAfee nor Symantec were among those detecting it.
Once the dropper executes on the computer, it downloads additional malware from the address http://customlod.com/a.exe which is the address all of the recent versions (since October 15th) have been using. Customlod.com is a Register.com registered domain. Perhaps they will remove it for us?
Customlod.com is fast-flux hosted on a botnet, just like the rest of the domains. The "right-this-minute" group of IP addresses its using are:
68.53.208.245,
79.114.237.252,
82.83.208.155,
121.113.164.71
190.160.207.242
some of which allow the malware to be dropped, and others of which do not. The last address on the list seems to ahve been part of this botnet the longest, and has been observed running the Ocean Bank version of the Digital Certificate malware as well.
The "a.exe" malware is also not very well detected, with only 19 of 36 anti-virus products detecting it from Virustotal, and again, with no coverage from McAfee or Symantec.
Both the dropper and the second stage malware were crafted today. This probably just means they were repacked from the same base code, but neither had been observed or reported in the places we checked before this afternoon.
a.exe will store itself on the local machine as the file 9129837.exe and will link itself to Internet Explorer. IE is the only browser which will cause keystrokes to be sent to the criminals because of that. The malware also steals FTP, POP email, and ICQ session logon credentials.
I don't know where this one sends its stolen data yet . . . the most recent version we've run "in the wild" sent it to:
1.alisiosanguera.com.cn or 2.bernardosolo.net.cn
We've seen at least 34 unique subject lines on the spam messages, such as:
- LaSalle Bank - Date and time our site was accessed
- LaSalle Bank - determine the level of interest in information available on our site.
- LaSalle Bank - identifying information about our visitors
- LaSalle Bank - Please be advised
- LaSalle Bank - the bank uses this information to create summary statistics
- LaSalle Bank - Visitors to this bank Website remain anonymous.
- LaSalle Bank - we do not collect identifying information about visitors to our site.
- LaSalle Bank - we may use standard software
- LaSalle Bank Consumers - we cannot guarantee the confidentiality of information sent.
- LaSalle Bank Consumers: allow the web server to log the pages you use
- LaSalle Bank Consumers: any information that you might send to us
- LaSalle Bank Consumers: if you send confidential or private information to us
- LaSalle Bank Consumers: other personal information
- LaSalle Bank Consumers: private information in your e-mail
- LaSalle Bank Consumers: we strongly discourage you from including any confidential information
- LaSalle Bank Consumers: you have visited the site before
- LaSalle Bank Consumers: your Account Number
- LaSalle Bank Security: additional step to logging onto Online Banking .
- LaSalle Bank Security: implemented an additional access authentication feature
- LaSalle Bank Security: Please take a moment to prepare for this additional layer of security
- LaSalle Bank Security: prompt you to answer your security verification question(s)
- LaSalle Bank Security: reviewing your security verification question and answer
- LaSalle Bank Security: we help you monitor your online accounts.
- LaSalle Bank Security: we’re adding additional security features
- LaSalle Bank will not be responsible for any damages
- Warning LaSalle Bank Consumers:Making Online Banking even more convenient and secure for you—totally free.
- Warning LaSalle Bank Consumers: Additional Security Features for Online Banking
- Warning LaSalle Bank Consumers: Customer Identification Program
- Warning LaSalle Bank Consumers: Information from a consumer reporting agency
- Warning LaSalle Bank Consumers: Information We Collect
- Warning LaSalle Bank Consumers: Information you provide us for applications or other forms
- Warning LaSalle Bank Consumers: Notice of Financial Privacy Rights
- Warning LaSalle Bank Consumers: providing you with secure and convenient online access
The domain names that we've seen hosting the dropper malware so far are:
bervioneeil.com
dfeuyerl.com
reekisb.com
reiureps.com
sdeirooe.com
which were all registered with BIZCN.COM as their registrar.
The full machine names look like these (with many random strings and different names substituted. Each full URL is truly unique.)
welcomelasalle.actionvalidate.bankonline.eBjjvVNII.reiureps.com
welcomelasalle.actionvalidate.carehtmlclient.l8UCc3sMZ.bervioneeil.com
welcomelasalle.actionvalidate.onlineupdate.HHtJWlNFa.dfeuyerl.com
welcomelasalle.actionvalidate.selfservice.bqUlaYr3t.sdeirooe.com
welcomelasalle.actionvalidate.services.T3Q2MVoy1.reekisb.com
The full URLs really look more like this:
http://welcomelasalle.customerlogin.sitesurvey.ovqvq1yco.reiureps.com/lasalle.php?/carehtmlclient/services/OSL.htm?LOGIN=iesHRMCt2g&VERIFY=BgwGlYOvQvq1YcO
http://welcomelasalle.onlineupdatemirror.certificateupdate.zetlslttm.reiureps.com/lasalle.php?/customerlogin/portalserver/OSL.htm?LOGIN=yG8If3X3h1&VERIFY=ovHI21zETLslTtm
http://welcomelasalle.securitychallenge.encrypted.vcxxudntu.reiureps.com/lasalle.php?/encrypted/communitypage/OSL.htm?LOGIN=xDnbTvlGvq&VERIFY=XrNKQDVcxxUdntu
But anything that includes at least the domain name and the lasalle.php will resolve to the same location.