Phishing attacks targeting online banking customers at various institutions is nothing new. However, today we observed another version of a phishing campaign spammed by the Donbot botnet. This phishing trick is standard fare, as it claims to be from “Bank of America” and requires that the user to download the attachment and fill out a form for an “online security measure”.
In the email sample above, there is an attachment, “BillingVerification.exe” which is actually a self-extracting RAR archive that contains an HTML phishing form.
While scrounging around the HTML form source code, it appears that the phisher’s PHP scripts, log files and stolen user data were being served on a legitimate website that had been compromised. A couple of files on the server contained sensitive information, such as IP addresses, credit card info, social security numbers, challenge questions & answers, online banking IDs and the passwords of those who had been deceived by this phishing campaign.
M86 MailMarshal customers are protected from this spam campaign with SpamCensor 559.
We reached out to Bank of America and this morning we received an e-mail from Jeffrey Laughton at Bank of America informing us that they have successfully taken down the compromised website.