Banking Trojan: Spammers Create Bank Website Domains To Steal Customer Info

A single typo could cost a person quite a bit of money. Spammers created websites with domain names similar to those of financial institutions and used the sites to spread malware that steals financial information and login credentials.

Researchers at My Online Security and the SANS Institute’s Internet Storm Center discovered the attack, which has targeted a number of banks and financial institutions located in the United Kingdom and the United States.

Institutions including Santander Bank, Lloyds Bank, HSBC, Nationwide and Natwest were all targeted by the spammers, who set up domains designed to catch those who suffer from a slip of the finger on the keyboard.

Some of the phony domains spotted by researchers included hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, santanderdocs.co.uk, santandersecuremessage.com and securenatwest.co.uk.

If a person were to make the mistake of visiting one of those sites—which have since been taken down, potentially by the domain host GoDaddy—they would be exposed to a banking trojan called Trickbot.

According to the researchers, the site makers went through a considerable amount of effort to disguise the malicious intent. The domains were implemented on servers using full email authentication and HTTPS, an encrypted communications protocol usually found on trusted websites.

As a result, people were easily tricked into clicking on links and opening attachments that contained the Trickbot trojan. These attachments would often appear as “secure email” that required the user to download an HTML or Microsoft Office file that would contain the malware.

“They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment,” researchers from My Online Security wrote. “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.”

For those unfortunate enough to be infected with Trickbot, a successor to the Dyreza banking malware known for hijacking user login credentials, their personal information was put at significant risk.

Trickbot is best known for its ability to carry out man-in-the-middle attacks, in which the trojan intercepts and redirects traffic in a user’s browser, stealing their information and injecting malicious advertisements and other code—including code with the ability to steal a user’s login credentials.

“As always, properly-managed Windows hosts following best security practices are unlikely to get infected by this malware,” a researcher for SANS Institute’s Internet Storm Center wrote.

“Unfortunately, many organizations and home users don't follow best practices. As long as criminals can abuse domain registrars and hosting providers, this type of malspam will occasionally manage to slip past spam filters and find vulnerable victims.”

In order to defend against the attack, which makes use of Microsoft Office security exploits, users are advised to disable options in the program like “Enable content” and “Enable macros” that allow the malicious code housed in the Word documents to execute.

In order to make sure these setting are not enabled, users can open the Access menu in Microsoft Office. From here, users should click Trust Center, then Trust Center Settings and open Macro Settings. From here, they can ensure content and macros are not enabled.