You have received a secure message

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Because every financial institution and their mom is going to "secure document delivery" quasi-email services, employees are being trained to click on links and run crazy attachments from companies they've never heard of.

This trend basically takes everything you ever taught your people about phishing awareness, and it wipes it's ass with it. Right in front of you, and in front of your people. An .htm attachment that uses javascript to launch java which opens another web page containing the email? Why not? Links shortened with the ccTLD of Uganda? Sounds legit!

Thanks to this trend, you have this blight of secure message malware spam. Oh, and never-mind that your employees are probably re-using passwords like a mother because they now have a log-in for every "email".

Here are some of the high-mileage runs:

They come in Key Bank, CitiBank, and HSBC, Wells Fargo, HSBC, and many other flavors.

The Malware can be in an exe-in-zip, double-extension exe, html file, or behind a web link. Or combinations.

Spoofing can be as good or lazy as you can imagine, often with bank A emails spoofing bank B and C in various header positions.


CitiBank, html attachment, version 1.

Picture of fake CitiBank secure message email with malicious html document attached.

Picture of CitiBank, exe-in-zip attachment, type 2.

Picture of citibank version of fake secure message malware email, exe in zip variant.

Key Bank IronPort-style, version 3

Fake Key Bank Secure Message Ironport email with virus!

HSBC version, exe in zip, version 1

Picture of fake HSBC secure message email with malicious exe in zip file attached.

Natwest version 1.

Picture of fake Natwest secure message with malware.

NatWest version 2.

Picture of version 2 of the fake NatWest secure message email.

Bank Of America Merrill Lynch ACH CashPro version 1.

Picture of malware secure message email in the Bank of America Merrill Lynch flavor.


Subject: You have received a secure message KeyBank, plain, non-Ironport-style

Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open 
(view) the file or save (download) it to your computer. For best results, save the file first,
then open it.

If you have concerns about the validity of this message, please contact the sender directly.
For questions about Key's e-mail encryption service, please contact technical support at
888.764.7941.

First time users - will need to register after opening the attachment.
Help - https:// mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https:// mailsafe.keybank.com/websafe/about
  securedoc.zip (152)

Subject: You have received a secure message (citibank exe in zip version)

You have received a secure message

Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the
file or save (download) it to your computer. For best results, save the file first, then open it
with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

securedoc.zip (9)

Subject: Citibank Secure Email Notification (citibank html version)

You have received a secure message

Read your secure message by opening the attachment, securedoc.html. You will be prompted to open
(view) the file or save (download) it to your computer. For best results, save the file first,
then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For
questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http:// www.citi.com/citi/citizen/privacy/email.htm

Subject: You have received a secure message  Keybank IronPort style

KeyBank Logo   SecureMessage
Iron Port Logo
Encryption

You have received a secure message

Read your secure message by opening the attachment, Secure_Message.zip. You will be
prompted to open (view) the file or save (download) it to your computer. For best
results, save the file first, then open it in a Web browser. To access from a mobile
device, forward this message to mobile @res.cisco.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender
directly. For questions about Key's e-mail encryption service, please contact technical
support at 888.764.7941.
First time users - will need to register after opening the attachment.

Help - https:// mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https:// mailsafe.keybank.com/websafe/about

Sincerely,
Bruno_Hendrickson
KeyCorp Level III Support

Powered by IronPort

Subject: You have received a secure message HSBC version.

 Read your secure message by opening the attachment, message_zdm. You will be prompted to open (view) 
the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For questions
please contact the HSBC Secure Mail Help Desk.

Subject: You have received a secure message  NatWest version.

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted
to open (view) the file or save (download) it to your computer. For best results, save the
file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the National Australia Bank Secure Email Help Desk at
(866) 118-2702.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.natwest.com/wps/wcm/connect/natwest/home/about_us/10/1

SecureMessage.zip (12)

Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

You have received a secure message from Bank of America Merrill Lynch

Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view)
 the file or save (download) it to your computer. For best results, save the file first, then open it
in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https:// securemail.bankofamerica.com/ websafe/ml/help?topic=RegEnvelope

   securedoc.zip (16)

Subject: You have a new Secure Message Wells Fargo version

You have received a secure message

Read your secure message by download Document_087341-436175.zip. You will be prompted to open (view) the
file or save (download) it to your computer. For best results, save the file first, then open it.

In order to view the secure message please download it using our Cloud Hosting:

https:// www.cubby.com/pl/Document_087341-436175.zip/_0e1f0f95214a458c8f534b9503f216bd

About Email Encryption please check our website at https://wellsfargo.com

Headers samples:

This series of emails has gone through many iterations, spoofing various banks. Much mixed-spoofing of From and Envelope headers.

Citibank version

Received: from host-41.33.182.226.tedata.net [41.33.182.226]
X-Envelope-From: hungm0 @purifiercn.ru
From: "secure.email @citi.com" <secure.email @citi.com>

Received: from bell.ca [70.51.121.206]
X-Envelope-From: reubenmau18 @heinemann.com
From: "secure.email @citi.com" <secure.email @citi.com>

Received: from rrcs-67-53-74-130.sw.biz.rr.com [67.53.74.130]
X-Envelope-From: cantataslxk82 @casesmaker.ru
From: "secure.email @citi.com" <secure.email @citi.com>

Received: from aexp.com [197.209.3.217] X-Envelope-From: fraud @aexp.com From:"Citibank" <secure.message @citibank.com>
Subject: Citibank Secure Email Notification

KeyBank version

Received: from Wireless_Broadband_Router - static-72-68-73-58.nwrknj.fios.verizon.net [72.68.73.58]
X-Envelope-From: support @nacha.org
From: "Key Bank" <Ruth_Reaves @KeyBank.com>
Subject: You have received a secure message

Natwest version

Received: from abs-static-210.170.102.118.aircel.co.in [118.102.170.210]
   X-Envelope-From: fraud @aexp.com
   From: "Natwest" <Secure.Message @natwest.com>
   Subject: You have received a secure message

Received: from bba186382.alshamil.net.ae [217.165.70.200] X-Envelope-From: fraud @aexp.com From: "Natwest" <Secure.Message @natwest.com> Subject: You have received a secure message

Received: from PMZGXXC [41.159.6.162] X-Envelope-From: equipse06 @rapoportacademy.com Message-ID: <49ZFGZEF.9221914 @hrmc.gov.uk> <-- thought i'd show that. funny. From: "NatWest" <secure.message @natwest.co.uk> Subject: You have received a secure message

Bank of America Merrill Lynch version

Spoofs baml.com in From headers but aexp.com in Envelope. Like a cutwail spambot.

Received: from wsip-184-177-3-173.no.no.cox.net [184.177.3.173]
X-Envelope-From: fraud @aexp.com
From: "Elliot White" <Elliot.White @baml.com>
Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

Received: from host194.186-153-10.telecom.net.ar [186.153.10.194]
X-Envelope-From: fraud @aexp.com
From: "Aaron Lee" <Aaron.Lee @baml.com>
Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

Malware examples:

10 June 2014 - Cubby download link

www.cubby.com/pl/Document_087341-436175.zip/_0e1f0f95214a458c8f534b9503f216bd

which provides a download of Document_087341-436175.zip containing Document_087341-436175.scr

VirusTotal report 

Malwarebytes 	Trojan.Agent.ED
Qihoo-360 Malware.QVM20.Gen
VIPRE Trojan.Win32.Generic.pak!cobra

Malwr.com report 

Performs some HTTP requests

HTTP POSTs to:
newsbrontima.com /gk2odq4b6m1xu
newsbrontima.com /q4t6dejrrek

Anubis report 

16 May 2014 - Attached PDF containing malware link

SecureMessage.pdf that looks like:

Picture of an attached pdf containing a malware link from not bank of america.

The "encrypted file / ok" area contains a link to a dropbox download which provides a download of BankofAmerica.scr | VirusTotal report | Malwr.com report | Anubis report 

8 May 2014

securedoc.zip containing securedoc.scr (Citi bank version) | VirusTotal report | Malwr.com report  | Anubis report 

17 March 2014

securedoc.zip containing securedoc.exe (Bank of America Merrill Lynch version) | VirusTotal report | Malwr.com report | File-Analyzer.net report 

6 February 2014

SecureMessage.zip containing Secu reMessage.scr | VirusTotal report | Malwr.com report

8 November 2013

Secure_Message.zip containing Secure_Message.exe | VirusTotal report | Malwr report

June-July-ish 2013

message_zdm.zip which contained message_zdm.exe | VirusTotal report

securedoc.html.zip containing securedoc.html.exe | VirusTotal report

 

If this was at least a little helpful, how about a +1 or a Like?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity