Today I identified several phishing emails targeting the Royal Bank of Canada’s customers:
The above phish is the classic trick of sending you to a fake banking site and have you type your personal information (social engineering).
On the opposite, the following phish aims at having you run a file (social engineering + malware infection):
One of the interesting things it does is turn off Internet Explorer’s anti-phishing filer:
EnabledV8 = 0×00000000
ShownServiceDownBalloon = 0×00000000
It also copies an executable (VirusTotal 4/44) to all connected shares (worm-like behaviour) using the Autorun.inf file to auto-launch it.
Following that, it will contact a remote server (dbdata-check.com @ 188.8.131.52) located in Kazakhstan at regular intervals:
Leave a reply