by Dave Michmerhuizen & Luis Chapetti – Security Researchers
The Barracuda Labs spam traps recently received a burst of phishing emails targeting Bank of America customers. These particularly well-crafted messages underscore two important rules when dealing with spam.
Rule # 1: Never click on a link in an email, no matter how authentic it might appear.
Rule # 2: If a dialog asks you if you want to RUN something, don't.
Many people think they can effectively spot spam by looking for the tell-tale clues such as poor grammar or misspellings. Modern spam campaigns render this approach ineffective.
Take a look at this very convincing email…
There is nothing in this email that initially seems suspicious – except that the email offers a link to an “online statement”, which is actually a malware executable.
This involves rule number one – never click on a link, even if it might appear to be legitimate, indeed even if it is legitimate. Such links are so frequently malicious that trying to determine which are and which are not is simply too risky. It is much safer to directly visit the website of the institution within your web browser.
In the most simple cases, clicking on a malicious link downloads the malware executable and attempts to run it. Before running it, Windows will prompt you and ask you if you really want to run the file, like so…
This triggers rule number two – never select Run when this dialog is presented. No reputable, unsolicited, email will contain, or link, to something that needs to be run on your local computer; even if the email is from a trusted or known organization.
What can happen if you ignore these two rules?
In this case, you would have downloaded and executed a bank password stealer. One of the first things this Trojan horse does is update itself with a list of banking sites that it should monitor for transmitted usernames and passwords.
Once this step is complete the Trojan checks-in with a command and control server in Russia, updating it with any banking credentials it finds.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.