FDIC has officially named your bank a failed bank
you need to check your Bank Deposit Insurance Coverage
The email messages claim to be from the email address consumeralerts@fdic.gov, which is a real email address used by the FDIC, but obviously being forged by the malware distributors in this situation.
Here's an example email:
You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.
You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
* Visit FDIC website: http://www.fdic.gov/bankinsured/failed/personalfile/holder.php?email=youremail@yourdomain.com&id=233388521333599678361293755617839671
* Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage
Federal Deposit Insurance Corporation
The website to which you are directed looks like this:
The website offers a copy of "your personal FDIC Insuranace file" to see whether your coverage has been impacted. The website seems to offer this file as either an Adobe PDF file or a Microsoft Word file. In reality, the first is named "pdf.exe" and the second is named "word.exe", which are both the same file - a 105,472 byte executable file.
A VirusTotal report indicates that currently 9 anti-virus products are able to label this version of the malware, which we expect will be changed regularly by the criminals:
File size: 105472 bytes
MD5 : f4007a6af6dc841cd2961a8b3d2fbb8e
The detections declare it to be Zeus Bot, and UAB Malware Analyst Brian Tanner examined the malware in the lab and confirmed the same, identifying the location of the command & control server and sharing that information with appropriate law enforcement officials.
So far UAB researchers have identified 93 unique domains registered and used by the criminals for this campaign:
www.fdic.gov.h1erfae.eu
www.fdic.gov.h1erfai.eu
www.fdic.gov.h1erfaj.eu
www.fdic.gov.h1erfaq.eu
www.fdic.gov.h1erfar.eu
www.fdic.gov.h1erfat.eu
www.fdic.gov.h1erfau.eu
www.fdic.gov.h1erfaw.eu
www.fdic.gov.h1erfay.eu
www.fdic.gov.milki1a.co.uk
www.fdic.gov.milki1a.me.uk
www.fdic.gov.milki1e.me.uk
www.fdic.gov.milki1i.co.uk
www.fdic.gov.milki1l.co.uk
www.fdic.gov.milki1l.me.uk
www.fdic.gov.milki1y.me.uk
www.fdic.gov.nyuh1awa.eu
www.fdic.gov.nyuh1awb.eu
www.fdic.gov.nyuh1awc.eu
www.fdic.gov.nyuh1awd.eu
www.fdic.gov.nyuh1awe.eu
www.fdic.gov.nyuh1awf.eu
www.fdic.gov.nyuh1awg.eu
www.fdic.gov.nyuh1awh.eu
www.fdic.gov.nyuh1awm.eu
www.fdic.gov.nyuh1awn.eu
www.fdic.gov.nyuh1aws.eu
www.fdic.gov.nyuh1awt.eu
www.fdic.gov.nyuh1awv.eu
www.fdic.gov.nyuh1awx.eu
www.fdic.gov.nyuh1awz.eu
www.fdic.gov.ookilfd.eu
www.fdic.gov.ookilfe.eu
www.fdic.gov.ookilff.eu
www.fdic.gov.ookilfg.eu
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfk.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.ookilfv.eu
www.fdic.gov.ookilfx.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.tt1qwa1.co.uk
www.fdic.gov.tt1qwa1.eu
www.fdic.gov.tt1qwa1.me.uk
www.fdic.gov.tt1qwae.eu
www.fdic.gov.tt1qwae.me.uk
www.fdic.gov.tt1qwaq.co.uk
www.fdic.gov.tt1qwaq.eu
www.fdic.gov.tt1qwaq.me.uk
www.fdic.gov.tt1qwar.co.uk
www.fdic.gov.tt1qwar.eu
www.fdic.gov.tt1qwar.me.uk
www.fdic.gov.tt1qwat.co.uk
www.fdic.gov.tt1qwat.eu
www.fdic.gov.tt1qwat.me.uk
www.fdic.gov.tygerah.co.uk
www.fdic.gov.tygerah.eu
www.fdic.gov.tygerah.me.uk
www.fdic.gov.tygerak.co.uk
www.fdic.gov.tygerak.eu
www.fdic.gov.tygerak.me.uk
www.fdic.gov.tygerat.co.uk
www.fdic.gov.tygerat.eu
www.fdic.gov.tygerat.me.uk
www.fdic.gov.tygeraw.co.uk
www.fdic.gov.tygeraw.eu
www.fdic.gov.tygeraw.me.uk
www.fdic.gov.tygeraz.co.uk
www.fdic.gov.tygeraz.eu
www.fdic.gov.tygeraz.me.uk
www.fdic.gov.yh1qab.co.uk
www.fdic.gov.yh1qab.eu
www.fdic.gov.yh1qab.me.uk
www.fdic.gov.yh1qak.co.uk
www.fdic.gov.yh1qak.eu
www.fdic.gov.yh1qal.co.uk
www.fdic.gov.yh1qal.eu
www.fdic.gov.yh1qal.me.uk
www.fdic.gov.yh1qao.co.uk
www.fdic.gov.yh1qaz.co.uk
www.fdic.gov.yh1qaz.eu
Of these, 38 domains are currently live:
www.fdic.gov.h1erfau.eu
www.fdic.gov.ookilfd.eu
www.fdic.gov.ookilfe.eu
www.fdic.gov.ookilff.eu
www.fdic.gov.ookilfg.eu
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfk.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.ookilfv.eu
www.fdic.gov.ookilfx.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.tygerah.co.uk
www.fdic.gov.tygerah.eu
www.fdic.gov.tygerah.me.uk
www.fdic.gov.tygerak.co.uk
www.fdic.gov.tygerak.eu
www.fdic.gov.tygerak.me.uk
www.fdic.gov.tygerat.co.uk
www.fdic.gov.tygerat.eu
www.fdic.gov.tygerat.me.uk
www.fdic.gov.tygeraw.co.uk
www.fdic.gov.tygeraw.eu
www.fdic.gov.tygeraw.me.uk
www.fdic.gov.tygeraz.co.uk
www.fdic.gov.tygeraz.eu
www.fdic.gov.tygeraz.me.uk
UPDATE!
- 27OCT09 4PM in Alabama:The FDIC's Sandra L. Thompson, Director of the Division of Supervision and Consumer Protection has provided an update to this emerging threat on their website:
http://www.fdic.gov/news/news/SpecialAlert/2009/sa09183.html
We're currently down to 16 "live" sites that we've seen in this afternoon's FDIC spam:
www.fdic.gov.ookilfh.eu
www.fdic.gov.ookilfj.eu
www.fdic.gov.ookilfs.eu
www.fdic.gov.pouikib.eu
www.fdic.gov.pouikic.eu
www.fdic.gov.pouikie.eu
www.fdic.gov.pouikig.eu
www.fdic.gov.pouikiq.eu
www.fdic.gov.pouikir.eu
www.fdic.gov.pouikis.eu
www.fdic.gov.pouikit.eu
www.fdic.gov.pouikiv.eu
www.fdic.gov.pouikiw.eu
www.fdic.gov.pouikix.eu
www.fdic.gov.pouikiy.eu
www.fdic.gov.pouikif.eu
0 comments:
Post a Comment