HTML/53Bank!phish

description-logoAnalysis

  • Arrives as a HTML email with a varied subject line. Examples of the subject line are as follows
    • 0fficiaI Information To CIient Of Fifth Third Bank
    • Fifth Third Bank: Important Account Notice
    • Customer Notice: Data Confirmation
    • Fifth Third Bank: Service Message

  • If the email is opened, an instance of the default browser will initiate and may display an official looking document. The source of the document is supposedly from the Fifth Third Bank itself.
  • The HTML code in the email references an inline GIF graphic. Inside the official looking document will be a hyperlink that, on the surface, looks like it points to the actual banking institution. This link only looks that way -- underneath it points to a different web site altogether.
  • When the link is clicked a second browser window opens taking the user to a website located at an IP address different than that to what the user expects.
  • At this site the user will be presented with an official looking form and will most likely be asked to input information such as their ATM, credit card number, bank account number and associated PINs.
  • If a user enters in their bank account data, the information is recorded and transferred to a malicious second party.

recommended-action-logoRecommended Action

  • Don't click on hyperlinks to financial institutions in email messages - always open an instance of a new Internet browser and navigate to the financial institution by typing in the web address.
    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Telemetry logoTelemetry