This is one of the first observed cases where a botnet has been used to generate dynamic bank account phishing spam, Infosecurity notes, as whilst low-level botnets have been used to generate so-called pharma spam, the addition of financial scamming to the mix is a new move.
According to Rodel Mendrez, the phishing spam requires recipients to download the attachment and fill out a form for an 'online security measure.'
In the email sample shown in his security blog, Mendrez notes that the attachment - BillingVerification.exe - is a self-extracting WINRAR archive that contains an HTML phishing form.
"While scrounging around the HTML form source code, it appears that the phisher’s PHP scripts, log files and stolen user data were being served on a legitimate website that had been compromised", he said.
The M86 Security researcher went on to say that a couple of files on the server contained sensitive information, such as IP addresses, credit card info, social security numbers, challenge questions & answers, online banking IDs and the passwords of those who had been deceived by this phishing campaign.