HTML/Phish.Wamu

Analysis

Variant detection added into v4.559 AV db update.

• Arrives as a HTML email with a varied subject line. The HTML code in the email references an inline GIF graphic.
  
• In each case the subject line may reference something different -- usually the name of a banking institution. The subject line theme is always nearly identical however -- update your bank account information -- as in the following examples:

- Citibank: urgent security notification
- Your WAMU account may be suspended


• If the email is opened, an instance of the default browser will initiate and may display an official looking document. The source of the document supposedly being from Washington Mutual.
  
• Inside the official looking document will be a hyperlink that, on the surface, looks like it points to Washington Mutual. This link only looks that way -- underneath it points to a different web site altogether.
  
• When the link is clicked a second browser window opens taking the user to a website located at an IP address different than that to what the user expects.
  
• At this site the user will be presented with an official looking form and will most likely be asked to input information such as their ATM, credit card number, bank account number and associated PINs.
  
• If a user enters in their bank account data, the information is recorded and transferred to a malicious second party.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option


• Don't click on hyperlinks to financial institutions in email messages - always open an instance of a new Internet browser and navigate to the financial institution by typing in the web address.