ANZ Bank Customers Targeted by Info-Stealing Malware via Spam Email
On 11th of July at around 9:05 AM an email spam campaign was launched against the customers of the Australia and New Zealand Banking Group, or in short – ANZ bank. Normally malware creators fail to make convincing emails when they present themselves as someone else. There would often have spelling and grammar mistakes, low-quality images, wrong font, etc. The case we're addressing today is exactly the opposite.
Malware-Laced Spam Email Packs A Nasty Payload
The cyber crooks behind this cunning malware knew what they were doing. As it turns out, the emails containing the malicious software were very convincing. They were in the shape of an invoice with great interface, imitating legitimate ANZ bank email. The authors even went as far as adding a note claiming that the user will not be receiving a verification email or text message to confirm one's details (login, financial or account details), to further disperse any doubt about the legitimacy of the invoice. To seem even more credible, the cyber criminals have implemented a trick called email spoofing. With this being done, the email could appear to be from a legitimate source, in our case the legitimate ANZ bank email address – statements@anzcommunication.anz.com. It is not, however, impossible to spot if this is the real sender, or it's been spoofed. Unfortunately, only tech savvy people would know how to check this, and probably quite a few of them fell for the cyber criminals' trick and believed the email without checking its legitimacy at all. If one checks, they would see that the actual email address behind this fraudulent campaign is statements@anzhost.org.
Real VS Fake Emails
There are, naturally, some serious differences between a real and a false email of this kind. For security reasons, most major banks ask their customers to log in the online banking service they provide. This method has been established as best-practice in the banking sector. What the fake emails have implemented instead is a button that is meant to enable the user to directly view their banking statement. As the email looks legitimate, many may be tricked into clicking the button. By clicking on the button, a malicious .js file will be extracted from a .zip archive and downloaded on the victim's system. Researchers have not yet been able to identify the malware strain used in the campaign. However, they did confirm that it is meant to steal information from browsers (login credentials, passwords, etc.). The malware also appears to possess the ability to achieve boot-persistence by adding a Windows startup entry. Since the code is heavily obfuscated, the analysis of the malware is a task which may take a while. It would seem that the cyber crooks behind this well thought out and executed attack might be from China, as the domain which started spreading the infected emails is registered there.
How to Stay Safe
Please keep in mind that fraudulent emails from banking institutions, delivery services, or government bodies are among the most popular ways to spread malware. Whenever you see such a message in your inbox, you should be extra vigilant for attached files or links to external websites, since there's a chance that you might have become the target of cyber criminals. Always make sure to scan incoming email attachments with a reputable anti-malware software suite, as well as to avoid opening shady links which may sometimes show up in these messages.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.