For Commtouch’s email security labs, phishing emails allegedly coming from well-known large consumer banks are a common sight. A little less common is the campaign we saw in the last 24 hours: Containing the subject line “IMPORTANT Documents – WellsFargoâ€, emails coming from the addresses service@wellsfargo.com or docs@wellsfargo.com did not try to phish users’ sensitive data from customers of Wells Fargo, one of the largest consumer banks in the United States – instead they served to deliver malware.
The wave started yesterday morning, July 15, 2013, at approximately 9 a.m. Eastern Time (1 p.m. GMT). Since the campaign’s start, it has been responsible for 80 percent of all virus outbreaks detected by Commtouch. The emails contained an attachment, consisting of a Zip folder which contained a file disguised as a PDF but which actually was an executable (.exe) which when clicked on is activated on Windows systems and installs a member of the Tepfer family of trojans. The malware embeds itself in the system, starts automatically and is capable of downloading additional malware on the user’s computer. One of the peculiarities of Tepfer is that it contains a list of popular passwords which it tests against various accounts on the target system, targeting particularly email accounts and FTP accounts. More than 50 percent of the emails came from US IP addresses, another five percent from Candian ones, other top sources of the campaign were the United Kingdom and Germany.
Other malware campaigns
Another malware campaign observed in the past 24 hours came in the name of another major US bank, the Bank of America. The emails had the subject line „Merchant Statement“ and the sender “Bank of America†noreply@bankofamerica.com. The attachment was alleged to contain a bank statement and also contained a trojan. A third wave came with the subject line “BACS ADDACS Advice Reportâ€, allegedly sent by the British financial service provider BACS. These emails also delivered a Tepfer variant.
Commtouch’s virus outbreak detection services monitor such campaigns in real-time and detect these virus ouitbreaks usually within seconds of their first appearance. Commtouch’s partners and their customer are therefore protected almost right from the start of a malware campaign.