Trojan Spy Scam Email Campaign

Within the last days we received a lot of scam emails pretending to originate from the Mazon State Bank, Fedwire (Federal Reserve Wire Network), Hinsdale Bank & Trust Co. and many others. The majority of these emails contained information about a money transfer or the account being disabled.

Of course the emails are scam with the target to make victims clicking links that lead to malicious websites. The websites run a BlackHole exploit to infect the visiting computer with a trojan spy by exploiting some known vulnerabilities, e.g. MDAC vulnerability (CVE-2006-0003).

BlackHole Exploit

The malicious site additionally notifies the user to update the Adobe Flash Player. Yes, this is also a fake. If the victims clicks on that link, another malware will be downloaded. Emsisoft Anti-Malware detects it as variant of Trojan-PSW.Win32.Zbot and Trojan-PSW.Win32.SpyEye.

Malicious site

There are a lot of different variants of the scam emails, here are some of them:

Trojan Spy - Scam Email #1

Dear account holder,

I regret to inform you that Money Transfer sent by you or on your behalf was hold by Mazon State Bank.

Transaction ID: 1707018975
Current status of transaction: on hold

Please review transaction details as soon as possible.

Eddy W. Jackson
Treasury Management

Trojan Spy - Scam Email #2

Good afternoon,

Your Account: Business Account XXX

Wire Amount: $ 72,549.89
Transaction Report: View

The wire transfer will be processed within 2 hours. Please make sure that everything is as you requested.

ELAINE GALVAN,
Federal Reserve Wire Network

Trojan Spy - Scam Email #3

Dear Account Holder,

I regret to inform you that Domestic Wire Transfer initiated by you or on your behalf was hold by Hinsdale Bank Trust Co.

Transaction ID: 1703559264
Current status of transaction: pending

Please review transaction details as soon as possible.

Sally Thorpe
Accounting Manager
Hinsdale Bank Trust Co