A massive phishing threat targeted to clients of Volksbanken Raiffeisenbanken, a bank based in Germany, has been detected by Fortinet's FortiGate security systems.

The Fortinet Threat Response Team last updated the detection for “HTML/BankFraud.OD!phish” on Sept. 26, 2006. Two days later, the phish begain hitting as many as 50,000 detections per day, 52 percent of which hit in Germany. Other detections occurred across 60 other countries.

The phishing threat is received through email with an embedded image portraying a message for the Volksbanken client to click the link in order to update information in online banking:

“In the past week, Fortinet has seen this phishing threat surpass the infamous W32/Netsky.P@mm, which is unusual” said Bryan Lu, a Fortinet virus researcher. “Bankfraud.OD is the first phishing attack that we have seen surpass a mass mailer since last year’s variant of the HTML/eBay!Phish, which was a threat to a worldwide online retailer. Volksbanken is only a regional bank, yet the detection rate rivals the eBay phish, and at several points during the last week, became a bigger threat than the Netsky.P mass mailer.”

Hidden random sentences are added below the image to intentionally create different emails creating different variants of this phishing threat. This is commonly called as the “white on white” phishing threat. However, with this threat, the white-colored text was diffused to a darker shade, as not to be detected by antispam engines that may only be able to detect “white on white” phishing threats. Fortinet’s FortiGate, however, was able to detect the phish, even with the slightly altered text, highlighted below:

According to Lu, not only did this threat top the charts in Germany, it has jumped to the No. 2 spot on the global threat list for the week ending Oct. 6, 2006. This may be an attack on a specific region, but it is having worldwide impact.

For Virus World Map statistics: Virus Map

For more information on HTML/BankFraud.OD!phish: Virus Encyclopedia