Security experts are warning of a new phishing campaign designed to trick private banking clients into downloading covert malware onto their machines.
The spoof emails employ classic phishing techniques to socially engineer their targets, including the use of legitimate-looking banking domains and secure messages of the sort often received by private banking customers.
“This is appealing to criminals because the targets are of high value and already trust intimate communications from their banks,” explained Barracuda Networks. “Criminals also like that in order for targets to act on these messages, they need to be connected to the internet because the viewing happens in a web portal, which means that they are now vulnerable to downloading malicious content.”
The security vendor claimed to have seen many variations on the same theme over the past month, targeting multiple lenders including Bank of America and TD Commercial Banking.
“In some instances, these messages have an attached Word document that contains a malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document,” it added.
“Depending on the script in the attachment, there’s a potential for typical anti-virus software to miss the threat altogether because the Word documents contained in these ‘secure messages’ could be benign and allowed to be downloaded or opened when they’re first received.”
Once downloaded, attackers can update the script to something far more malicious such as ransomware or an info-stealer, the vendor claimed.
User training and awareness alongside layered security featuring advanced sandboxing and anti-phishing capabilities will help mitigate the threat.
Phishing remains the most commonly exploited attack vector, according to a new study out this week.
Staff are most often victims of spoofing and impersonation (67%), followed by branded (35%) and seasonal (31%) attacks, according to IronScales.
Staff training has long been a part of best practice security, but research from Accenture Security this week revealed that over half (55%) of UK employees can’t remember even having been given training: a sure sign it’s not working.