Phishing Attack Targets Russian Bankers
Posted by: Timothy Weaver on 02/25/2016 10:37 AM
[
Comments
]
Six employees at a Russian bank were duped by a phishing email offering them employment. The emails were crafted to look like an email from the Central Bank of Russia and were an attempt to infect the victims with Trojan.Ratopak.
Symantec said, “Trojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and steal information… including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also be used to download other malicious files and tools.”
“The attackers went to some effort to make the emails appear legitimate, even going as far as to register a domain very similar to the genuine Central Bank of Russia website. The URL for the Central Bank of Russia website is 'cbr.ru', while the URL for the attacker-controlled website is 'cbr.com.ru'.”
They went on to explain, “This would indicate that the emails sent out for this campaign appear to have been written by a native Russian speaker, using clean and simple language. This is also backed up by the fact that the attackers would need to speak Russian to make use of the information stolen through Ratopak. There are no obvious errors, except for one. The name in the 'From:' line of the email header differs from the signature at the end of the email. This and the '.com' in the URL are the clearest indicators that this is a fake email.”
While there is no conclusive evidence of the attacker's goal, the attacks appear to be financially motivated.
As with any phishing scams, users are advised to:
• Not open attachments or click on links in unsolicited email messages
• Ensure their computer is fully patched and up to date
• Keep security software up to date with the latest updates
Source: SCMagazine
Symantec said, “Trojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and steal information… including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also be used to download other malicious files and tools.”
“The attackers went to some effort to make the emails appear legitimate, even going as far as to register a domain very similar to the genuine Central Bank of Russia website. The URL for the Central Bank of Russia website is 'cbr.ru', while the URL for the attacker-controlled website is 'cbr.com.ru'.”
They went on to explain, “This would indicate that the emails sent out for this campaign appear to have been written by a native Russian speaker, using clean and simple language. This is also backed up by the fact that the attackers would need to speak Russian to make use of the information stolen through Ratopak. There are no obvious errors, except for one. The name in the 'From:' line of the email header differs from the signature at the end of the email. This and the '.com' in the URL are the clearest indicators that this is a fake email.”
While there is no conclusive evidence of the attacker's goal, the attacks appear to be financially motivated.
As with any phishing scams, users are advised to:
• Not open attachments or click on links in unsolicited email messages
• Ensure their computer is fully patched and up to date
• Keep security software up to date with the latest updates
Source: SCMagazine
Comments
