Recent malware trends clearly show that financial gain is one of the top reasons to be on the dark side of the Internet. Countless threats targeting banking information come and go each day. Stealing banking information is now easier than ever with the availability of toolkits such as Spyeye and Zbot that allow malware authors to target banks of their choice. It is believed that trillions of dollars are deposited in Japanese banks. Furthermore, the Japanese nation is well known to be a nation of savers, thus making Japanese banks and their customers a potentially lucrative target.
A recent spam attack targeting customers of a leading bank in Japan arrives with an .exe file attachment named with the abbreviation of the bank. When we first observed this attack, we thought that it was a typical spam attack customized through Spyeye. However on closer inspection, we found that this was not the case. It is, in fact, Infostealer.Jginko.
The email appears legitimate except for the sender portion of the bank’s name in the email id, which clearly demonstrates that the email did not come from the bank as the domain in this case is not valid; it is just "co.jp". This is a second level domain and not a fully qualified domain name. The email asks the recipients to renew a "code card". The code card is a card that is provided by the bank to its customers. It contains a matrix of numbers that is used to finalize online transactions (TAN). This is a type of two-factor protection that is used to help protect against straight forward unauthorized account access or transactions. Two-factor protection is widely used by online banking systems and in some cases three-factor authentication is used. To renew the code card as requested by the email, the recipient is asked to open the attachment.
Running the attachment displays a form which the user is requested to fill in. When the form is filled in and the send button is clicked, the threat takes a screenshot and sends it to the IP address of 220.127.116.11 using a predefined user name and password. At the time of investigation, we did not see any screenshots at the remote location. This may indicate that few users are affected by the threat or that the attacker is copying and deleting data on a regular basis.
Social engineering attacks such as this one are effective against users with little security knowledge. The affected bank has posted a message on their website warning users of these types of spam attacks.