Cyber criminals are faking secure messages from banks as a means of delivering malware to victims.
Often provided through an online portal, banks often provide secure messaging services for the purposes of communicating with the bank without having to pick up the phone or visit the a branch.
Hackers have realised that this provides a new method of attack and are now crafting spoof emails claiming to contain documentation relating to secure messages.
The sorts of clients who opt to use these secure messaging services are often high-value targets who already have a trusting online relationship with their bank - so could be more willing to follow instructions they get in an email from scammers that they believe to be real.
Criminals are registering domains that appear to look like legitimate bank domains and the fact they're fake goes unnoticed because users don't know how to spot an imposter or their email client doesn't show the full domain in the subject line.
Uncovered by security researchers at Barracuda Networks, the campaign uses phishing emails to impersonate customers of big banks including Bank of America and TD Commercial banking.
The spoof messages are designed in such a way so as to look legitimate, even featuring sender addresses which look as if they come from the institution.
In some instances, the messages simply ask the victim to click on and download and attached document. However, others keep up the façade of being 'secure' - some emails provide instructions about using an authorization code to 'unlock' the attachment.
The malicious payload within is able to rewrite the files in the users' directory on Windows machines once the victim opens the document - and this script can potentially missed by anti-virus software, thrown off the scent because they think the document is benign.
However, once downloaded onto the system, criminals have access to it and can update the script at a later date to become something more malicious, such as credential stealing malware - enabling them to stealthily gain access to the bank account of the victim - or something more brazen like ransomware.
Faking email messages might seem like a basic attack, but criminals are deploying this tactic because it works - especially when trusted institutions such as banks are used.
However, the good news is that users can be trained to spot phishing attacks - taking a step back and assessing the legitimacy of an email can go a long way towards protecting an individual or their organisation from falling victim to hackers.
READ MORE ON CYBER CRIME
- Back to school: Warning over phishing scam targeting students
- Equifax sends breach victims to fake support site [CNET]
- Twitter phishing campaign targets customers of all major UK banks
- Phishing is the easiest way to steal sensitive data, hackers say [TechRepublic]
- Watch out for this money stealing macOS malware which mimics your online bank