Half of a percent of all spam sent worldwide targets customers of some of the most popular British financial institutions and services, including Paypal, Lloyds Banking Group, HSBC Holdings, and Barclays Bank.
The e-mails either deliver the banking Trojan Zeus or send fake bank forms to steal critical bank-related data by tricking people into typing in sensitive identification information, including banking username and password, credit card number, expiration date, name, country, zip code and social security number.
On average, phishing accounts for 3 percent of unsolicited e-mails sent worldwide. Last year, the UK was the country hit by the highest number of phishing attacks mainly due to prevalence of Internet connections in British households – more than 80% according to the data in the UN’s net-connectivity table. Britons are also extremely eager adopters of online banking services, making them priority targets for phishing attacks.
A wave of 0.5 percent of phishing e-mails might seem a small number but, as a rule, phishing attacks are less random than other types of spam. Some phishers send a message for a few hours, then stop to alter the content or attachment to avoid detection and send it again.
Spam e-mails targeting Lloyds and HSBC are sent from servers located in Russia, Italy, the US, India, Australia or the United Arab Emirates. The Bitdefender antispam lab found some spammers sharing servers or recipient lists.
Some spam e-mails deliver fake bank forms, while others distribute the infamous Zbot Trojan, hidden in an attachment allegedly sent by reputable financial institutions such as Lloyds, Barclays or HSBC.
The message allegedly sent by Lloyds informs users they have received a new payment and invites users to open an attachment. The attachment hides a malicious piece that downloads the banker Trojan Zbot from the webpage of a company involved in this attack without knowing it.
The alleged HSBC sample about a failed payment delivers Zbot as well, with the clear intention of collecting as much money-related data from active bank accounts as possible. Once in the computer, Zbot waits for users to connect to their e-banking accounts and snatch their credentials.
The Barclays impersonation tells customers there have been multiple attempts to access their accounts and the bank decided to “temporarily suspend” it. To reactivate it, users need to access the attachments and fill in the necessary data. The attachment is, however, an executable file that once again retrieves Zeus on their systems.
As a rule of thumb, banks NEVER ask customers to divulge sensitive data via e-mail. When in doubt, users should always call the bank or, better yet, go to the nearest bank to ask for details in person.
A good security solution marks the unsolicited e-mails as spam and blocks the phishing pages as malicious or suspicious.
This article is based on spam samples provided courtesy of Bitdefender anti-spam team and the technical information provided by Doina Cosovan, Bitdefender Virus Analyst.
Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.