Stupid but sophisticated "Lloyds TSB" phish

Spammers are generally pretty stupid. This particular phish looks pretty normal to being with:

Customer Service department
Lloyds TSB Bank
September 26th, 2008


To all business and personal customers

We would like to inform you about recent change in Lloyds TSB terms and conditions of banking services. Lloyds TSB has updated terms and conditions for both business and personal customers. Each customer should read and accept current terms and conditions.
Failure to accept new terms and conditions may lead to blocking of current services. Such as loans, credit cards, online banking, savings accounts, bill payments. Take a moment to read through new terms and conditions. There are two convenient ways to request updated terms and conditions. You can request them by mail or use online banking to confirm the new terms of service. Please follow the link below to review and confirm updated terms and conditions.
www.lloydstsb.com/terms

Thank you for banking with the most trusted UK bank,
Lloyds TSB Customer Service Team

We know that this is a phish because a) it was sent to a harvested address and b) Lloyds TSB don't send out emails like this. So a typical next step would be to check the source code to find where the phishing site is.

So the only hypertext link in the document is to http://www.lloydstsb.com which is the real Lloyds TSB bank. A closer look shows an attempted image load from http://lloydstlb.com/images/logo_lloydstsb.gif which is the phishing site hosted on a botnet. The domain is registered to BIZCN.COM who seem to have taken over this sort of business from Estdomains.

The fake site looks pretty convincing.. even if no-one will click through to it.

The login screen looks authentic too.

The next step looks exactly like the genuine login. The "memorable information" prompt asks for 3 letters from a longer passphrase, specifically letters 1, 3 and 5.

But guess what, when you enter the information it tells you that you did it incorrectly and asks for letters 2, 4 and 6 instead. So now they have letters 1-6.

Blah blah blah..

But what's this at the bottom? Yup, more characters from the memorable phrase are needed..

Finally, a confirmation:
So, like many modern phishing sites the actually web site is very credible looking, even the domain name looks reasonable if you only glance at it. Fortunately for the intended victims, the idiots have messed up the spam and.. this time at least.. nobody will get this far.

"Colorado Business Bank - Network Security and Monitoring"

These banks get more obscure all the time, but still carry the same sort of malicious payload.

---

Subject: Colorado Business Bank - Network Security and Monitoring
From: "Colorado Business Bank Account Service" alert@cobizbank.com

COLORADO BUSINESS BANK NOTICE:

Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.
VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.

Proceed to customer service department>>

Sincerely, Everett Torres.
Copyright - Colorado Business Bank, a part of COBIZ BANK.

---

VirusTotal detections are the usual mixed bag. Most detections seem to be generic (e.g. W32/Packed_FSG.D, TR/Crypt.FSPM.Gen, Trojan.Win32.Packed.gen, TrojanDownloader:Win32/Suceret.gen!A)

FTC: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special"

A timely warning from the FTC on the threat of criminals using the worldwide financial crisis to obtain banking details.. although as seen recently the payload could also be a trojan rather than a phishing attempt.

The FTC say:

If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.

They then go on to offer some excellent tips and examples of what to look out for. As I said before, it's worth warning any end-users you support of this risk because it would be relatively trivial to come up with a scam that looks very convincing indeed, and including a reference to the FTC warning might get at least some of them taking the threat seriously.

Citigroup/Wachovia "Security Certificates" trojan

These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.

The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.


If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.