The Trickbot banking trojan that has been targeting banking customers for over a year now has now been discovered to be using new and improved phishing techniques. The notorious banking trojan has been seen targeting a major bank with an email spam campaign that directs banking customers to a fake login page that looks exactly like the real one. Trickbot has so far hit online banking customers in the United States, United Kingdom, and Australia among other countries.
Security researchers at Cyren report that the latest Trickbot spam campaign sent over 75,000 emails in just 25 minutes, purporting to be from UK's Lloyds Bank. Researchers have said that the developers behind this banking trojan have been constantly developing it, even dabbling into the NSA's leaked EternalBlue Windows exploit that powered the almost-deadly WannaCry and Petya ransomware campaigns.
However, no matter what exploits they use, the attack vector still looks for the "human factor", mostly focusing on phishing. With the latest use of email campaigns, it becomes difficult for a casual user to spot anything unusual when their banking credentials are being stolen by the criminals.
Banking trojan displays correct URL and legit SSL certificate
While stealing banking credentials using phishing isn't a new technique, Trickbot banking trojan takes it "to another level by showing the user the correct URL of the online bank and a legitimate SSL certificate, so the user sees nothing unusual," Cyren reports.
The emails sent in the latest spam spree showed customers a well-created HTML email with the from field showing Lloyds Bank, and the subject line of "Incoming BACs," a reference to BACS system that allows customers to make payments directly from one email account to another. The email suggests that the target needs to review and sign attached documents.
However, if you look closely enough the email is from lloydsbacs not lloydsbank - a very small error that could be missed by many inattentive users. After the victim falls for the emails and downloads the attached Excel sheet, they are asked to enable macros to allow the document to be edited, leading to the deployment of malware instead.
Once this phase is done, the malware waits for the victim to visit their online bank. Trickbot then redirects them to a malicious clone of their banking site, that looks exactly like the real deal - correct URLs and legitimate SSL certificate included!
It is unclear who is behind the Trickbot banking trojan at the moment. However, looking at how rapidly it's evolving and the tools it's testing, it wouldn't be a surprise if a very well organized hacking team or even a state-sponsored group is found to be behind this banking trojan.