This method combined with the fact that Windows does not show known file extensions by default, means that the average user would only see "8.21.14 report.pdf" as the filename and a normal PDF icon as well (as seen below). The reason is that most of the time the malware writeers will build in a resource icon of whatever the fake extension is. These can fool most users in to thinking they are harmless once the file is saved. The exception being the View and Download buttons.Ĭlicking either View or Download prompts you to save an exe file with a double extension at the end and is the third part of this attack. Complete with working buttons that all lead to JP Morgan pages. Once you get this far you are taken to a rather convincing looking secure messaging portal. If anyone visited these pages and typed their information in, I'd strongly suggest changing your password as soon as possible. This data is most lilely being harvested as well for further attacks to be made with that users information. The pages do make POSTs to the server with the email address and password that are typed in. This could be considered a second part to the entire attack. No matter what you type in, as long as it's in the proper format, the page advances. Eset classifys the attack as "JS/Kryptik.ASA trojan". From the samples I have seen, the iframes all had data hosted at. The next page it loads has a malicious iframe in it. The first attack is when you click the read message button. This campaign has sort of a 3 part attack going on here. The Click to Read Message button did not show the link when hovering and linked directly to an address using an IP instead of a hostname. One thing to note is that looking at the source of the HTML or hovering over links does indeed only show jpmorgan links. The HTML file is just an official looking page with a button to read the message (and a personal image here that shows). However the link the spammers used appears to be dead now and none of the messages show a security image. The FROM name changes between the messages but stays in a consistant format for the actual email address Interestingly, all of the messages seemed to try to use the same security image of, what I assume, is a valid users image from JP Morgan. The emails coming in claim to be secure messages from JP Morgan using the Voltage secure messaging platform. A campaign just started up of fake JP morgan emails.
0 Comments
Leave a Reply. |