Banking Trojan Sends Users to a Fake Site Displaying Correct URL and SSL Certificate

Author Photo
Aug 14, 2017
14Shares
Submit

The Trickbot banking trojan that has been targeting banking customers for over a year now has now been discovered to be using new and improved phishing techniques. The notorious banking trojan has been seen targeting a major bank with an email spam campaign that directs banking customers to a fake login page that looks exactly like the real one. Trickbot has so far hit online banking customers in the United States, United Kingdom, and Australia among other countries.

Security researchers at Cyren report that the latest Trickbot spam campaign sent over 75,000 emails in just 25 minutes, purporting to be from UK’s Lloyds Bank. Researchers have said that the developers behind this banking trojan have been constantly developing it, even dabbling into the NSA’s leaked EternalBlue Windows exploit that powered the almost-deadly WannaCry and Petya ransomware campaigns.

marcher-malware-android-securityRelatedBankBot Manages to Infiltrate Play Store for the Third Time This Year – Lures Victims with Cryptocurrency App

However, no matter what exploits they use, the attack vector still looks for the “human factor”, mostly focusing on phishing. With the latest use of email campaigns, it becomes difficult for a casual user to spot anything unusual when their banking credentials are being stolen by the criminals.

Banking trojan displays correct URL and legit SSL certificate

While stealing banking credentials using phishing isn’t a new technique, Trickbot banking trojan takes it “to another level by showing the user the correct URL of the online bank and a legitimate SSL certificate, so the user sees nothing unusual,” Cyren reports.

The emails sent in the latest spam spree showed customers a well-created HTML email with the from field showing Lloyds Bank, and the subject line of “Incoming BACs,” a reference to BACS system that allows customers to make payments directly from one email account to another. The email suggests that the target needs to review and sign attached documents.

mobile-banking-conceptRelatedThis Banking Trojan Is Spreading Across the Globe, Hitting Both Banking & Cryptocurrency Users

However, if you look closely enough the email is from lloydsbacs not lloydsbank – a very small error that could be missed by many inattentive users. After the victim falls for the emails and downloads the attached Excel sheet, they are asked to enable macros to allow the document to be edited, leading to the deployment of malware instead.

Once this phase is done, the malware waits for the victim to visit their online bank. Trickbot then redirects them to a malicious clone of their banking site, that looks exactly like the real deal – correct URLs and legitimate SSL certificate included!

“By using HTML and JavaScript, the malicious site is able to display the correct URL and the digital certificate from the genuine site on the malicious page,” Sigurdur Stefnission, Cyren’s VP of threat research told the folks at ZDNet. During this entire process, the only giveaway of the “fake” feeling is the first email that shows the incorrect address. Otherwise, customers may never even know what happened to their funds.

It is unclear who is behind the Trickbot banking trojan at the moment. However, looking at how rapidly it’s evolving and the tools it’s testing, it wouldn’t be a surprise if a very well organized hacking team or even a state-sponsored group is found to be behind this banking trojan.

Submit