Saturday, March 22, 2008

Malware installation attempt via phishing

I got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes a lot of business sense for bad guys too. Why steal username/password of one site when you can install a keylogger and get hell of a lot more information. Moreover, this is also less effort on the part of phishers since they don't have to go through the hassle of setting up the phishing site (no matter how automated it has become for them) and the window of attack could be bigger then the traditional phishing approach.

I think their new motto is "if they are dumb enough to enter their username/password, then they are dumb enough to install a malware".

Check out the email below and please be very careful with the link.

From: "Bank of America"
Date: March 22, 2008 5:59:08 AM PDT
Subject: important reminder: digital certificate issued

Dear Bank of America Direct User:
Our records indicate that a new digital certificate has been issued to your Bank of America Direct user ID.
Digital certificates are computer-based records issued to individual user IDs that allow Bank of America Direct to validate your identity and protect your information from unauthorized access. In order to access Bank of America Direct, you must use a valid digital certificate.

Installation Instructions
To install your newly-granted digital certificate, please access the Digital Certificate Pick-Up site at:
Actual Url -

Please have your Bank of America Direct login information readily available when completing this process.
Should you have any questions regarding this process, please consult your Company Administrator or contact your regional customer support center for further assistance.

Bank of America Direct Technical Care Center

NOTE: This is an automatically generated communication.


Anonymous said...

I just received the BOA Cert notice. My suspicions were arroused when I noticed the URL they reference was an HTTP rather than HTTPS. ALL security type data would ALWAYS be sent over a secured socket layer. Upon examining the source, I noticed that the destination URL was not the same as the published URL. There may very well be an but if you were to click on it (DON'T), you would go to

I also examined the mail header and the mail is actually from :
Received: from (unknown [])
by with SMTP id EVF6AO2XP7

And to top it off, I get the mail on Easter Sunday.

Anurag Agarwal said...

thanks for adding your experience to the post. Lets hope it helps someone :)

Anonymous said...

I came across an interesting service lately. It's a hosted behavioral analysis service for websites. You can sign up for free at
and specify the URL you want to scan. It also allows scheduled scans so basically if the web page is modified by hackers so that it will attempt to download executables or scripts to clients or attempts to redirect them to malicous URLs, you are notified. Better than having your client's attacked I would say.

John - JTL Solutions