Virus

HTML/BankFraud.SunT

Analysis

  • Arrives as a HTML email with a varied subject line. The HTML code in the email references an inline GIF graphic.
  • In each case the subject line may reference something different -- usually the name of a banking institution. The subject line theme is always nearly identical however -- update your bank account information -- as in the following examples:
  • - Citibank: urgent security notification
    - Important account notification from Citizen's Bank
    - Citizens Bank - Client's Data Verification
    - Citibank Customer Notification: Data confirmation
    - Citizens Bank - Important Fraud Alert

  • If the email is opened, an instance of the default browser will initiate and may display an official looking document. The source of the document supposedly being from the banking institution itself.
  • Inside the official looking document will be a hyperlink that, on the surface, looks like it points to the actual banking institution. This link only looks that way -- underneath it points to a different web site altogether.
  • When the link is clicked a second browser window opens taking the user to a website located at an IP address different than that to what the user expects.
  • At this site the user will be presented with an official looking form and will most likely be asked to input information such as their ATM, credit card number, bank account number and associated PINs.
  • If a user enters in their bank account data, the information is recorded and transferred to a malicious second party.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option