U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Oh Canada! – Canucks under attack in the latest wave of banking Trojan scams

Canadian online users appear to be the current target of the latest wave of email-based phishing campaigns used to deliver banking malware. Canadian online banking users appear to be the current target of the latest wave of email-based phishing campaigns. While Canada hasn’t been exempt from banking malware attacks in the past, it appears that […]

Oh Canada! –  Canucks under attack in the latest wave of banking Trojan scams

Canadian online users appear to be the current target of the latest wave of email-based phishing campaigns used to deliver banking malware.

Canadian online banking users appear to be the current target of the latest wave of email-based phishing campaigns.

While Canada hasn’t been exempt from banking malware attacks in the past, it appears that there has been a marked increase in the frequency, diversity, and scale, pointing to a present focus on Canadian users.

The exploits families in use have come from six different variants of banking Trojan, which include Zeus, Dridex, Kronos, Ursnif, Vawtrak and Gootkit.

Malicious links within fake emails and infected word documents with malicious macros and OLE objects appear to be the primary delivery method.

Security vendor Proofpoint reported a number of specific attack methods over the last few months which used various social engineering techniques within emails, luring unsuspecting users into downloading and running malicious payloads under the guise of Microsoft security updates or fake UPS and Canada Post delivery notes.

The analysis highlighted the following four examples.

The first in the selection appeared on May the 17th of this year and used a fake Microsoft security alert, pointing users to a link containing an executable – Kronos.

This instance of Kronos was configured to target Canadian, Australian and US financial organisations

Canada banking trojan 1

Screenshot of the fake MS security update linking to Kronos banking trojan

The second example appeared on June 6th and appeared as a Canada Post delivery notice. The malicious payload in this instance was actually discovered to be Dridex botnet 220 packaged with malicious macros and was configured to attack various Canadian financial sites.

Canada banking trojan 2

The fake Canada Post failed delivery note

On June 26th malicious attachments were sent as in the guise of a photo and a Microsoft Excel file, located within a Microsoft Word document with the file name ‘notice.docx’. The links led to JavaScript downloaders, which pulled down Gootkit as their payload. The configurations were set to specifically target Canadian and German sites.
Canada banking trojan 3

Gootkit downloaders disguised as links within a word document

Sticking with the theme of missed deliveries to mislead Canadian netizens, the fourth example produced showed a false UPS proof of delivery notice, complete with corporate branding which contained macros that facilitated the download of Vawtrak Project 21. This particular variant was configured to target financial sites in Canada and the UK.

Canada banking trojan 4

UPS apparently attempting to deliver malware

Banking users are being urged, especially those using Canada financial institutions, to remain ever vigilant of online threats, particularly those relying on phishing techniques via email.

As always users are reminded to be mindful of the source of the emails that user receive, especially those requesting additional actions involving external links or documents. And special attention should always be given to any attachments received via email, which encourage the acceptance of the use of Macros.

With the current methods in web technology in use today, the threat of online banking scams is something that isn’t going to go away anytime soon, however, although the attack methods themselves may vary, the techniques used for identifying and evading them follow the same principles.

Written by: Steven Boyd

Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –banking Trojan, malware)