Secure Shopping

Banking Trojan Trickbot Deceiving Customers Using Phishing Mails

August 23, 2017 | By Comodo SSL

Hackers are scaling new heights every day. And the trick which the latest banking Trojan Trickbot seems to pull off is very hard to recognize or detect. This notorious malware is misdirecting the Lloyd banking customers via phishing mails to a fake site which not only replicates the banking website but also uses a legit SSL certificate and the correct URL.

Predictably, Trickbot has been very successful in accomplishing its goals and has affected online banking customers in the United States, United Kingdom, and Australia among other countries. Research reveals that Trickbot spam campaign sent over 75,000 emails in just 25 minutes, purporting to be from UK’s Lloyd’s Bank.

Banking Trojan Trickbot

Trickbot malware’s objective is to steal customers’ banking credentials and use the stolen credentials to their advantage. Despite being a sophisticated attack, the human factor involved in initiating the malware – the customer has to click the mail to commence things – cannot be denied.

SSL certificates being abused is nothing new but what is new is the fact that the hackers behind this Trickbot malware have been successful in replicating the URL as well. Till now, it was supposed that URLs belonging to genuine enterprises could not be replicated. (A keen observer could spot the defects in the URL). But the fact this has been accomplished by hackers, using HTML and JavaScript, is indeed shocking.

The email carrying the malware purports that it is from Lloyd’s bank and contains the subject line ‘Incoming BACS’. (BACS, it seems, is a feature of Lloyd’s bank which allows its customers to make payments directly from one email account to another). The malicious email suggests to the unsuspecting customers that they download, review and sign the attached documents.

Once the download is completed, the customers are asked to enable macros to allow the document to be edited, leading to the deployment of the malware instead. And when these affected customers try visiting their bank following this malware download, they get redirected to the malicious clone of the banking site, which looks exactly like the real one and even contains the correct URL and a legit SSL certificate!

The only giveaway in this sophisticated phishing attack is contained in the email address. ‘Lloyd banks’ is displayed as ‘lloydbacs’, Which if customers fail to notice, have no real chance of getting away from being trapped by this malicious malware.

Researchers looking into this Trickbot trojan malware are suggesting that developers behind this malicious malware may be making use of the same Windows EternalBlue exploit which powered the deadly WannaCry and Petya ransomware campaigns as well.

As of the moment, it is unclear who is behind this Trickbot banking trojan. But considering the sophistication it employs, the way it’s rapidly evolving and the tools its testing, it seems that this malware is backed up by a well-organized hacking team. On the other hand, if customers exercise a bit of online discretion – usually recommended as e-mail best practices – and are careful enough to check for spelling mistakes in the mail id, even this malware can be prevented from taking over your PC(s).

Compare Types of SSL Certificate

Posted in Secure Shopping,Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory