By Darren Pauli on Mar 15, 2013 12:30 PM
Huge phishing campaign hits inboxes.
Trojan-laden phishing emails bearing the Westpac name have deluged hundreds of thousands of Australian inbox’s this morning.
The trojan backdoor slipped past almost all anti-virus engines placing victims at heightened risk of infection.
Specific details of the malware or its method of obfuscation are not yet known. However Fortinet and DrWeb today classified the sample as W32/Kryptik.KZ!tr and BackDoor.Slym.1498 respectively.
The phishing emails instructed victims to run the Trojan via Microsoft’s Internet Explorer browser.
Fortinet described the malware as a remote backdoor Trojan.
At least some of the phishing emails bear the attachment SecureMessage.zip and the sender address firstname.lastname@example.org.
Aussie outsourcer Mailguard reported the scam and shared samples with virus analysts.
“The payload still being defined, but it is has been sent in different variations,” chief executive Craig McDonald said.
Mailguard blocked 126,000 of the emails sent at about 9am this morning in “pretty much one go”, McDonald said.
That number spiked into many hundreds of thousands of emails as of the time of writing, service delivery director Anwar Ibrahim said.
“This is the biggest fast breaking email the tech guys can remember,” Ibrahim said.
Almost 2000 unique IP addresses were logged sending the spam using a single filter, pointing to the United States, Peru and Australia in descending order.
The attacks appeared to use a shotgun-approach in choosing victims and were not targeted at a specific industry nor Westpac customers.
Users should be cautious opening any email attachment and those sent by unknown addresses. Banking websites should be accessed by entering the URL directly or through trusted search engines, and never via unsolicited links within emails.
The malware’s SHA256: 5450eea52c6e04bcae760c6181c6c79198daa6e969fca406e0f9dd3b49212d48