FortiGuard Advisory (FGA-2006-26)

A massive phishing threat targeted to clients of Volksbanken Raiffeisenbanken, a bank based in Germany, has been detected by Fortinet's FortiGate security systems.

The Fortinet Threat Response Team last updated the detection for “HTML/BankFraud.OD!phish” on Sept. 26, 2006. Two days later, the phish begain hitting as many as 50,000 detections per day, 52 percent of which hit in Germany. Other detections occurred across 60 other countries.

The phishing threat is received through email with an embedded image portraying a message for the Volksbanken client to click the link in order to update information in online banking:

“In the past week, Fortinet has seen this phishing threat surpass the infamous W32/Netsky.P@mm, which is unusual” said Bryan Lu, a Fortinet virus researcher. “Bankfraud.OD is the first phishing attack that we have seen surpass a mass mailer since last year’s variant of the HTML/eBay!Phish, which was a threat to a worldwide online retailer. Volksbanken is only a regional bank, yet the detection rate rivals the eBay phish, and at several points during the last week, became a bigger threat than the Netsky.P mass mailer.”

Hidden random sentences are added below the image to intentionally create different emails creating different variants of this phishing threat. This is commonly called as the “white on white” phishing threat. However, with this threat, the white-colored text was diffused to a darker shade, as not to be detected by antispam engines that may only be able to detect “white on white” phishing threats. Fortinet’s FortiGate, however, was able to detect the phish, even with the slightly altered text, highlighted below:

According to Lu, not only did this threat top the charts in Germany, it has jumped to the No. 2 spot on the global threat list for the week ending Oct. 6, 2006. This may be an attack on a specific region, but it is having worldwide impact.

For Virus World Map statistics: Virus Map

For more information on HTML/BankFraud.OD!phish: Virus Encyclopedia

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.