Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

Srizbi phishes Capital One customers

It appears that not even David Spade can protect Capital One customers from phishing attacks. A Srizbi sample in our lab today spat out some interesting spam.

As you can see below, the Botnet is using a standard obfuscation technique to get the end user to click on it. The subdomain portion of the domain name is created in such a way that it looks legitimate at first glance.

This phishing site is a little different than the normal site that tries to get the user's credentials. As we see on the site below, it tries to convince the user to download the binary directly due to a "stack overflow in a bank account". Apparently, these spammers have a sense of humor!

http://top.capitalonebank.compub.globalupdate.renewmirror.UpdateSession.onlineupdatemirror.sitesurvey.hunerim.com/login.html?/rnalid/productsremote/OSL.htm?LOB=&refer=


CAPITAL ONE BANK CRITICAL UPDATE, AUGUST 28TH 2008

Critical Updates are intended to fix potential security risks in Business Objects of Capital One Bank.

Critical Update is available to remove unacceptable symbols from the wire submission page that is included with Capital One Bank Treasury Optimizer.

These updates are highly recommended to ensure the security of all Capital One Bank products.

To start update follow the Verification Link>>

Sincerely, Willard Duke.
2008 Capital One Services, Inc.


Bank1_2






Another spam we've recently seen trying to exit our lab is an attempt to make TD Banknorth customers download a new "Smartcard Certificate" to continue using their online services.

Subject: TD Banknorth WebExpress Certificate Renewal

Certificate owner must renew the certificate before expiry date.
Personal (Smartcard) e-Certificate

Your certificate expiration date - 1st september 2008.

The system will block users access e-cert, if it has not been renewed. Successful renewed application will receive an email notification from TD Banknorth WebExpress. Applicant can just browse to the URL stated in the email and then download the certificate.
Connect Certificate Center now
hxxp://webexpress.tdbanknorth.ecosystem.sessionervlet.updatesession.linkbrowse.communitypage.fvgwvw2.com/TDBankNorthCertificate.htm?/Secure/siteminderagent/OSL.htm?LOB=&refer=

Sincerely, Josue Thomson. 2008 TD Banknorth WebExpress Web (SM) Version 6.2


Bank2






This is an new spam tactic which we haven't seen yet. We'll continue to investigate and post more details as they come available.

Alex Lanstein @ FireEye Malware Intelligence Labs

Account Deleted on 2008.08.28 Botnet Activities / Outbreaks

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef00e554bc84718834

Listed below are links to weblogs that reference Srizbi phishes Capital One customers:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.