Spammers and malware distributors have started to take advantage of Dutch certificate authority DigiNotar. After that the Dutch government alerted about attackers managed to hack into web security firm where hundreds of bogus security certificates that could be used on websites including Google, Microsoft and Twitter. Barracuda warned of a spamming campaign targeting Royal Bank of Canada customers.
The spamming message notifies users that their SSL certificate has expired and in order to continue using banking services they are required to update the SSL certificate. Here by checking the link we find that it is pointing to a suspicious domain (hxxp://trsikis.com/admin/rbc.html).
The message also contains bank logo and sender seems to be RBC Royal Bank, here is a screenshot for the email:
Here as you notice there are 2 links the second is leading to web server that host exploit kit that performs several attacks on victim operating system includes:
- Attack on Java runtime
- Attack on Adobe PDF reader
- Attack on Windows Media player
These attacks will exploit only vulnerable software version and as a result victim will download and execute Trojan.Buzus. a malware that opens a backdoor on the infected machine and tries to steal various information such as personal financial data (including credit card numbers, online banking details etc.), passwords from various email and FTP applications (like Trillian, Microsoft Outlook, CuteFTP etc.) It also tries to compromise security settings of various security related products.
To protect yourself against any threat I recommend following NSA “Best Practices for Keeping Your Home Network Secure”.