Jan 152014
 

RBS Bankline Password Reset Form pretending to come from Bankline [Bankline.Administrator@natwest.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Of course the RBS Bankline Password Reset Form is not from RBS or any other bank. Once the scammers and  malware purveyors find a new or different scam they will use every bank they can to try to infect as many users as they can. Normally when you see an attachment or email  with a subject like RBS Bankline Password Reset Form, you automatically think that it is another phishing attempt. In this case it is not phishing but a very nasty malware- virus-trojan

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.

They have also added Nat west Bank to the banks they are spoofing to send this malware  Bankline [Bankline.Administrator@natwest.com]

*********************************************************************
This message has been scanned by the Bankline CSC SSM AV and found to be free  of known security risks.
*********************************************************************

Dear Customer Please find below your Banking Form for Bankline. Please complete Bankline Banking Form : – Your Customer Id and User Id – which are available from your administrator if you have not already received them Additionally, if you wish to access Bankline training, simply follow the link  below www.natwest.com/banklinetraining If you have any queries or concerns, please telephone your Electronic Banking Help Desk.   National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

=================================================

Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form. Fax to 0845 878 9791 or alternatively email a scanned copy of the form to banklineadministration@rbs.co.uk, on receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email. <<RBS_Bankline_Password_Reactivation.pdf>>

Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.

Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.

If you are the sole Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in an Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on 0845 300 4108 and one of our associates will be happy to assist you.

Regards

Bankline Product Support

The Royal Bank of Scotland plc, Registered in Scotland No. 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. The Royal Bank of Scotland plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
========================================================

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

15 January 2014: RBS_Bankline_Password_Reactivation.zip extracts to RBS_Bankline_Password_Reactivation.exe      Current Virus total detections: 2/48     MALWR Auto Analysis:

16 January 2014: BanklineForm.zip extracts to BanklineForm.exe      Current Virus total detections: 1/48     MALWR Auto Analysis:

23 April 2014: BanklineForm.zip ( 9kb)extracts to BanklineForm.scr      Current Virus total detections: 4/51

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

  2 Responses to “RBS Bankline Password Reset Form – fake PDF malware”

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>