Security News Phishers Use Private Banking Messages to Lure Victims

[Exterminator]

Security experts are warning of a new phishing campaign designed to trick private banking clients into downloading covert malware onto their machines.

The spoof emails employ classic phishing techniques to socially engineer their targets, including the use of legitimate-looking banking domains and secure messages of the sort often received by private banking customers.

“This is appealing to criminals because the targets are of high value and already trust intimate communications from their banks,” explained Barracuda Networks. “Criminals also like that in order for targets to act on these messages, they need to be connected to the internet because the viewing happens in a web portal, which means that they are now vulnerable to downloading malicious content.”

The security vendor claimed to have seen many variations on the same theme over the past month, targeting multiple lenders including Bank of America and TD Commercial Banking.

“In some instances, these messages have an attached Word document that contains a malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document,” it added.

“Depending on the script in the attachment, there’s a potential for typical anti-virus software to miss the threat altogether because the Word documents contained in these ‘secure messages’ could be benign and allowed to be downloaded or opened when they’re first received.”

Once downloaded, attackers can update the script to something far more malicious such as ransomware or an info-stealer, the vendor claimed.

User training and awareness alongside layered security featuring advanced sandboxing and anti-phishing capabilities will help mitigate the threat.

Phishing remains the most commonly exploited attack vector, according to a new study out this week.

Staff are most often victims of spoofing and impersonation (67%), followed by branded (35%) and seasonal (31%) attacks, according to IronScales.

Staff training has long been a part of best practice security, but research from Accenture Security this week revealed that over half (55%) of UK employees can’t remember even having been given training: a sure sign it’s not working.

 

[L S]

This is "standard" practice for phishing , ....... now this is only new "phishing campaign" ....... after this it will be something newer.

 

[Entreri]

Interesting. It always gives me a good chuckle, alas some people still fall for this amateur hour nonsense.

Never answer anything unless you are the one inquiring. The government uses snail mail and one should always verify by calling the Department before responding.

Given the AMT scams, only deal with bank tellers.

 

[L S]

Interesting. It always gives me a good chuckle, alas some people still fall for this amateur hour nonsense.

Never answer anything unless you are the one inquiring. The government uses snail mail and one should always verify by calling the Department before responding.

Given the AMT scams, only deal with bank tellers.

First of all - Common Sense !!!