Threat Spotlight: Email Malware Impersonates Secure Bank Messages

Everyone seems to be on a heightened alert following the recent Equifax data breach and probably keeping a closer eye on bank statements and credit reports for good measure. You might even be more likely to open an email from your bank these days that perhaps you would’ve ignored in previous months. Monitoring bank accounts and credit reports is always a good idea; however, we’ve seen a recent run of alarming email threat patterns that should make you think twice before you act on an email from your bank.    

In this month’s Threat Spotlight, we dissect an email attack that is impersonating a “secure message” from financial institutions, which we’re quickly finding to be a growing trend. Here’s what we’ve found:

Highlighted Threat: 

Secure Bank Message Impersonation — email attack delivered by spoofed messages from financial institutions

The Details:

Impersonation is one of the most common tactics used in email attacks for one simple reason — it works. This particular instance is no different, and we’ve been tracking a consistent stream of emails from attackers that are impersonating secure messages from financial institutions. While these threats appear to be real messages from actual banks, it’s important to understand that the financial institutions mentioned in the emails below haven’t been hacked; however, their names are being used by criminals to persuade recipients to act on the messages. 

In this first example, the message appears to be a request from Bank of America that instructs the recipient to either download an attached document or reply back to the sender. 

However, if you take a look at our analysis of this particular message below, you’ll see that there’s a high risk of malicious behavior. 

In the next example, the email is claiming to be a secure bank message that lists a set of instructions for the recipient to follow.  

And again, if you take a look at the scan analysis, there’s a high risk of malicious behavior on this one as well. 

Typically, the type of “secure messages” we’re seeing in these scams are received from private banking clients who have stewards assisting with bank transactions, monitoring, or opening encrypted messages. This is appealing to criminals because the targets are of high value and already trust intimate communications from their banks. Criminals also like that in order for targets to act on these messages, they need to be connected to the internet because the viewing happens in a web portal, which means that they are now vulnerable to downloading malicious content. 

In this last example, you can see that the first step states, “You must be connected to the internet to view the secure email.” 

We’ve seen many variants of this threat over that past month, and unfortunately, the outcome for recipients who act on these messages isn’t a good one. In some instances, these messages have an attached Word document that contains a malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document. Depending on the script in the attachment, there’s a potential for typical anti-virus software to miss the threat altogether because the Word documents contained in these “secure messages” could be benign and allowed to be downloaded or opened when they’re first received. However, once they are downloaded, criminals now have access and can update the script at a later date to something more malicious such as a form of ransomware or any threat that the attackers want to use at that time. 

Ultimately, criminals are registering domains that appear like a legitimate bank domain, and they go unnoticed because recipients either don’t know what to look out for or because most email clients only show the sender’s name and not the full domain. Criminals use this tactic to entice recipients into opening and acting on emails, but it can be easily spotted by trained users. Sadly, these threats are exploiting the trust between banks and their customers. 

To recap, the techniques used in this attack are: 

• Impersonation: Attackers impersonate real financial institutions, exploiting inherent trust between these institutions and their customers. 

• Email spoofing: The email domains used in this attack are spoofed to appear like real emails that customers might receive from an actual bank.  

• Phishing: Attackers send emails as a “secure bank” message that asks users to act on the requests made by the criminals. 

Take Action: 

User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Always check the domains on emails asking for things from you, including clicking and inputting information.  

Layering employee training with an email security solution that offers sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. Additionally, you can deploy anti-phishing protection with Link Protection to look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.

Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is a cloud service that utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time and identifies the most high-risk individuals inside the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals. 

---

Fleming Shi is the Senior Vice President of Technology at Barracuda, where he leads the company’s cloud-enabled microservices technology innovation and integrations across the entire security and data protection portfolio.  Connect with him on LinkedIn here.