New scam targets BoA Merrill Lynch customers

Barracuda Engineer and Research Scientist Luis Chapetti (@cudasecurity) is warning us of a new phishing attack that he discovered on Friday afternoon. The email impersonates an official secure message from Bank of America Merrill Lynch.

The email includes a pdf attachment that contains a malware link. The link takes the user to an address similar to this:

dl.dropboxusercontent.com /s/xn26h1fppik5np6/SecureMessage.zip?dl=1&token_hash=AAFeZ7ZaTMGCK_zbZfiraxwiTEBsq8rwQ7TF5l5lGEn9rg&expiry=1400258860

This initiates a download of the “SecureMessage.zip” file, which contains Spyware/Win32.Zbot. This trojan takes the following actions on the user computer:

• Starts servers listening on 0.0.0.0:6710 and 0.0.0.0:6506
• Performs an HTTP GET of malkanat.com/images/Targ-1605USdp.tar
• Collects MachineGuid, DigitalProductID, and SystemBiosDate
• Steals private information such as login data, that is transmitted through browsers
• Installs itself for autorun at Windows startup

This message shares is similar to other “secure message” emails that we have seen in the past year, in that it shares these characteristics:

• The “secure message” attachment is an executable or a zip file
• The user is directed to open the attachment with a web browser
• It directs the user to a Dropbox link which contains the malware

This phishing attack has been used against customers of other banks as well. Citibank, Key Bank, HSBC, and NatWest have all been impersonated for this type of attack.

If you suspect that you have received one of these emails, you can report it to US-CERT and APWG.

Customers running the Barracuda Spam Firewall or Barracuda Web Filter with the latest security definitions are protected from this attack.