Bank of America on Short List of Scammers’ Spam Lures

The dust has barely set on the Bank of America security breach, and crooks unleashed a series of aggressive spam campaigns that include the Bank of America in the title as bait.

In the context of a security breach, the name of the bank was used to catch customers’ attention, infect them with malware, have them type in sensitive data or entice them into sending money in advance for a service they will never receive.

“Online Banking Passcode Modified” invites people to click a link to reset their online banking passcode. The same template and con is entirely recycled from a similar attack in November 2012. This new spamvertised malware campaign attempts to get Bank of America customers to click a link to a webpage associated with the Redkit Exploit Kit – a crimeware tool that exploits vulnerabilities in browsers and plugins to silently infect victims’ PCs.

“Bank of America Corporate Office Headquarters” and the very recent “Payment Notification from Bank of America” spam campaigns are examples of a complicated Nigerian-like scam informing customers that their funds will be transferred to the United States Treasury Account. To have the money transferred back, the customer needs a DIPLOMATIC IMMUNITY SEAL OF TRANSFER (DIST) that costs $750. The money can be sent via WESTERN UNION or MONEY GRAM, which are untraceable payment mechanisms through which the attacker can get the money just by telling the teller the transaction number or by showing ID.

“Bank of America Alert: Suspicious Activities on your Account!” and “Bank of America Alert: Sign-in to Online Banking Locked” lure customers to a phishing page by suggesting they click a link and confirm their banking details as a security measure against alleged suspicious activity detected in their accounts. Once users type in the sensitive data, they share that information with crooks that can later use it for fraud and impersonation schemes.

“Reminder: Bank of America Customer Survey” is another active scam that invites customers to participate in a survey on their personal experience using the bank’s accounts. As a (laughably useless) safety measure users who want to access the survey are invited “to simply click the link below, or manually copy and paste the address into your web browser”. The survey is just an excuse to phish for personal data.

Bank of America has been recycled in spammed scams since 2006 and used multiple times a year, for more or less the same results: steal card and identity information, infect people with malware, and unwarily recruit them into money-muling operations.

This article is based on spam samples provided courtesy of Bitdefender anti-spam team and the technical information provided by Doina Cosovan, Bitdefender Virus Analyst.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.