Sponsored by..

Thursday 9 October 2008

Citigroup/Wachovia "Security Certificates" trojan

These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.


Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.

The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.

If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.

No comments: