Active Scam Website Found Targeting Colonial Bank Customers with Backdoor.Trojan (1)

Posted on June 24, 2008 by Administrator

anti spam






TOKYO (MacHouse) – According to Wikipedia, Colonial Bank is the 27th largest bank in the U.S. It has 300 branches across southeastern states and Nevada and Texas. Its website is located at http://www.colonialbankc.com. (See Screenshot 01.)





Norton Backdoor.Trojan Colonial Bank phishing id746.com
Screenshot 01 – Source: Colonial Bank		   Norton Backdoor.Trojan Colonial Bank phishing id746.com
Screenshot 02 – Source: MacHouse		   Norton Backdoor.Trojan Colonial Bank phishing id746.com
Screenshot 03 – Source: id746.com






Yesterday, we reported a phishing e-mail message targeting JP Morgan Chase Manhattan Bank customers. More than 2 hours ago, an organized cyber crime group sent out a phishing message targeting Colonial Bank customers and Internet users. The title of the message is “ColonialBank Corporate Important Security Notification – ref: 2518.” (See Screenshot 02.) And the message says






By following the link below you will begin the procedure of the customer certificate update:






The phrase above is then followed by a fake hyperlink. The underlying link actually forwards Internet users to a scam website hosted at the domain of id746.com. (See Screenshot 03.) We don’t know their entire plan. But they use this website to distribute a Windows-based file to infect Internet users with a group of trojan horse derivatives.






An organized cyber crime group sent out a phishing message involving Colonial Bank about 4 PM (U.S. PST), June 24, just some 2 hours ago. The link given in the message is shown as






https://connect7.colonialbank.com/NBB/?pid=17xvrpEFZDabczyOkhb








, but the underlying link is actually






https://ww8.colonialbank.com.id746.com/NBB/?ssid=3D17xvrpEFZDabczyOkhb






with no security layer. The scam website was active at the time of publishing this report.

The scam website instructs Internet users to download a file by clicking on a link that says ‘Download certificate >>.’ The resulting Window-based file is labeled ‘ColonialBankECERTv04510.exe.’ Moreover, there is another link given on the scam website. If one clicks on the link that says ‘Certificate installation completed, go to my account >>,’ he or she will end up with a blank page with a security layer. (See Screenshot 04.)





Norton Backdoor.Trojan Colonial Bank phishing id746.com
Screenshot 04 – Source: Colonial Bank		   Norton Backdoor.Trojan Colonial Bank phishing id746.com
Screenshot 05 – Source: MacHouse		   Norton Backdoor.Trojan Colonial Bank phishing id746.com
Screenshot 06 – Source: MacHouse






According to Norton AntiVirus, the downloaded file contains a computer virus known as Backdoor.Trojan, which only affects Windows OS users. (See Screenshot 05-6.) Symantec says






Backdoor.Trojan is a generic detection for a group of Trojan horse programs that open a back door and allow a remote attacker to have unauthorized access to the compromised computer.






We will have a more detailed report in several hours.






Click on the button to watch a documentation video. VTC
Click on the button to watch more documentation videos. VTC






References:

Colonial Bank – Wikipedia
Backdoor.Trojan – Symantec.com
Warning: Phishing Website Targeting Chase Manhattan Bank Customers Active (2) – Possible Polish and Chinese Connections
Warning: Phishing Website Targeting Chase Manhattan Bank Customers Active (1)

This entry was posted in Internet security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Notify me of followup comments via e-mail. You can also subscribe without commenting.