Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 8 December 2008

Fake UMB Banking Demo leads to Password theft

Posted on 07:58 by Unknown
Our Digital Certificate friends have started a new spam campaign. After
several days of targeting ClassMates.com with a fake video, they are now targeting UMB Bank with an online banking "Demo video", similar to the one we saw against Bank of America two weeks ago.

The emails look like this:

UMB BANKING SYSTEM CHANGES NOTICE:
Update December 08, 2008.

Experience Digital Banking News for yourself.
Want to know how quick, easy and safe our online banking service is today?
You can view our demo of the service, which is ideal for those times when you’d like more detailed information.
The Demo requires Macromedia Flash Player.

Proceed to view UMB System Demo>>

Sincerely, Janie Howe.
Copyright 2006, 2007, 2008. UMB Financial Corporation. All Rights Reserved.


The webpage that the current spam points out looks like this:



Of course the video is fake, and trying to play the video (or just visiting the site) tries to get you to download a fake Adobe Player upgrade, which is actually a virus which is designed to steal login credentials.

Stolen credentials for any website where you log in, as well as FTP logins, ICQ logins, and IMAP and POP email logins, are passed to the criminal's computer in the Ukraine using strings that look like these:

ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
icq_user=%s&icq_pass=%s
imap_server=%s&imap_login=%s&imap_pass=%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
user=%s&pass=%s


The first five domains we saw vs. UMB Bank was:

contactups.com
demoupdtateumb.com
umbexchange.com
umbupdates.com
videoumbpanels.com

These domains were created TODAY using the registrar BizCN.com. This
group usually has more domains than that. We expect more are being
created as I type. We've seen about 100 spam emails for this campaign
so far.

The nameserver for these domains, "ns1.panelhosts.com" was also
registered today, using this fake contact information:

Registrant Contact:
Ash
Marleyne Ash ash@aol.com
8524588488 fax: 8524588488
111 145 E. 93 St.
Brooklyn NC 11212
us

Subjects seen so far with this spam campaign:

  • UMB Bank Demo Tour - Do you have a specific question?
  • UMB Bank Demo Tour - Experience Digital Banking for yourself
  • UMB Bank Demo Tour - Explore Digital Banking
  • UMB Bank Demo Tour - Find out when you take a virtual tour.
  • UMB Bank Demo Tour - Our Web site was designed
  • UMB Bank Demo Tour - Run through this easy-to-use demo.
  • UMB Bank Demo Tour - See just how easy and useful online banking with UMB is
  • UMB Bank Demo Tour - Simply select the style of demo you'd like to view
  • UMB Bank Demo Tour - Take a tour
  • UMB Bank Demo Tour - Try our helpful 'Got a question?'
  • UMB Bank Demo Tour - Want to know how quick and easy our online banking service is?
  • UMB Bank Demo Tour - We've got a demo for you.
  • UMB Bank Demo Tour - Whether you're new to online banking
  • UMB Bank Demo Tour - You can also view our demo of the service
  • UMB banking system changes that you should know about
  • UMB NEW DEMO ACCOUNT - This unique service is offered exclusively to UMB Premier customers.
  • UMB NEW DEMO ACCOUNT - To begin demo, click the forward arrow or jump to a section with the menu to the right.
  • UMB NEW DEMO ACCOUNT - UMB NEW DEMO ACCOUNT - To try the online banking demo
  • UMB NEW DEMO ACCOUNT - Welcome to the demo for Global View!
  • UMB Premier DEMO ACCOUNT - from securely accessing your account information to paying bills to creating reports.
  • UMB Premier DEMO ACCOUNT - how to access your accounts, set up bill payees, transfer funds, and more!
  • UMB Premier DEMO ACCOUNT - how you can use UMB Online Banking
  • UMB Premier DEMO ACCOUNT - Online Banking and Bill Pay Demo
    "
  • UMB Premier DEMO ACCOUNT - Online Banking Demo "
  • UMB Premier DEMO ACCOUNT - The Demo requires Flash Player, available at no cost from Macromedia.
  • UMB Premier DEMO ACCOUNT - Try it! View our interactive Demo to learn more
  • UMB Premier DEMO ACCOUNT - Use it! View our Guide for helpful step-by-step instructions
  • UMB Premier DEMO ACCOUNT - You can download and save the entire Guide, then print the pages you want.


The path name for the fake video is:

/demotour.htm

The initial malware drop is a file called:

Adobe_Player10.exe

The file had not previously been uploaded to VirusTotal.

VirusTotal detections were: 17 of 38

File size: 3169 bytesMD5...: 1165b5ef89c61f8f61d3b1d91b374c9c


Strings on that malware indicate that second stage malware will probably
be loaded from:

hxxp://premierinet.com/adobe2.exe

The Adobe2 file had also not been previously uploaded to VirusTotal.
Another interesting string was C:\m_unpacker\packed.exe

VirusTotal Detections were: 3 of 38
File size: 36864 bytesMD5...: 4cc95326ed31689a50ca395eda99e8b7

Adobe2.exe sends all of its stolen data to: 91.203.93.57. Gee, does
that sound familiar to anyone?

As before, this is an advanced password stealer, grabbing webforms, ICQ,
POP3, and FTP passwords.

The spammed emails are advertising domains which are being served on
fast flux IP addresses. For example, the current IPs are:

68.36.117.128
75.21.90.70
76.211.222.243
208.127.129.95
24.16.209.93

When we look at some of these IPs to see what they have resolved, we
confirm that they have recently been used for a bunch of badness,
including the Classmates malware. For instance, 68.36.117.128 included:

adobeflasplayer10.com
adobeflash107.com
clasmatessup.com
downloadcentrer.com
downloadforupdates.com
downloads777.com
downloadservers7.com
onlineservclass.com
playerflashfull.com
serveronlines.com
serverupdateflash.com
tempdir.cz <== Citibank phish domain
upgradeadobe.com

axknm.cn <== Google AdWords domain
bmspeedlab.org <== BMS Money Mule recruitment
bumotor.org <== BMS Money Mule recruitment
bumospo.com <== BMS Money Mule recruitment
bumospe.tk <== BMS Money Mule recruitment
elbertzfunz.com
whv67.cn

You'll never believe this! BMSpeedLab.org has a Vacancy for a Regional
Financial Representative!!!!



You will be paid 10% commission out of every customer payment you have
to deal with for "Coordinating customer payments using your bank account".


Previous blog posts related to this malware family, which has previously targeted customers of: BancorpSouth, Bank of America, Bank of the West, CapitalOne, CareerBuilder, Chase Bank, Classmates.com, Colonial, Comerica, Eastern Bank, Google Adwords, Key Bank, LaSalle Bank, Merrill Lynch, M&I Bank, OceanBank, OpenBank, RBC, SunTrust, TD BankNorth, UMB, Wachovia, as well as abusing the Presidential election:


Nov 26th: Bank of America "Video Demo"

Nov 7th: McCain Video:

Nov 6th: Colonial Bank "Digital Certificate"

Nov 5th: Obama Acquisition Speech

Nov 4th: Wachovia/Wells Fargo Merger

Oct 31st: LaSalle Bank of America acquisition

Sep 23rd: Google Adwords

Aug 30th: Bank of America, SunTrust, TD BankNorth "Digital Certificate"

May 9th: Merrill Lynch "Digital Certificate"

May 6th: Merrill Lynch, Comerica, Colonial Bank "Digital Certificate"
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ▼  December (7)
      • Radical Muslim Hackers Declare CyberWar on Israel
      • More than 1 Million Ways to Infect Your Computer
      • Trusted Internet Connections (TIC): Gated Communit...
      • FTC Moves against Fake AntiVirus "ScareWare" compa...
      • Securing Cyberspace in the 44th Presidency: Part Two
      • Fake UMB Banking Demo leads to Password theft
      • Securing Cyberspace in the 44th Presidency: Part One
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile