Oh Canada! - Canucks under attack in the latest wave of banking Trojan scams

alt

Canadian online banking users appear to be the current target of the latest wave of email based phishing campaigns.

While Canada hasn’t been exempt from banking malware attacks in the past, it appears that there has been a marked increase in the frequency, diversity and scale, pointing to a present focus on Canadian users.

The exploits families in use have come from six different variants of banking Trojan, which include Zeus, Dridex, Kronos, Ursnif, Vawtrak and Gootkit.

Malicious links within fake emails and infected word documents with malicious macros and OLE objects appear to be the primary delivery method.

Security vendor Proofpoint reported a number of specific attack methods over the last few months which used various social engineering techniques within emails, luring unsuspecting users into downloading and running malicious payloads under the guise of Microsoft security updates or fake UPS and Canada Post delivery notes.

The analysis highlighted the following four examples.

The first in the selection appeared on May the 17th of this year and used a fake Microsoft security alert, pointing users to a link containing an executable – Kronos.

This instance of Kronos was configured to target Canadian, Australian and US financial organisations

alt Screenshot of the fake MS security update linking to Kronos

The second example appeared on June 6th and appeared as a Canada Post delivery notice. The malicious payload in this instance was actually discovered to be Dridex botnet 220 packaged with malicious macros and was configured to attack various Canadian financial sites.

alt The fake Canada Post failed delivery note

On June 26th malicious attachments were sent as in the guise of a photo and a Microsoft Excel file, located within a Microsoft Word document with the file name ‘notice.docx’. The links led to JavaScript downloaders, which pulled down Gootkit as their payload. The configurations were set to specifically target Canadian and German sites.

alt Gootkit downloaders disguised as links within a word document

Sticking with the theme of missed deliveries to mislead Canadian netizens, the fourth example produced showed a false UPS proof of delivery notice, complete with corporate branding which contained macros that facilitated the download of Vawtrak Project 21. This particular variant was configured to target financial sites in Canada and the UK.

alt UPS apparently attempting to deliver malware

Banking users are being urged, especially those using Canada financial institutions, to remain ever vigilant of online threats, particularly those relying on phishing techniques via email.

As always users are reminded to be mindful of the source of the emails that user receive, especially those requesting additional actions involving external links or documents. And special attention should always be given to any attachments received via email, which encourage the acceptance of use of Macros.

With the current methods in web technology in use today, the threat of online banking scams is something that isn’t going to go away any time soon however although the attack methods themselves may vary, the techniques used for identifying and evading them follows the same principles.