This example is an email containing the subject of “FW: Your HSBC application documents ” pretending to come from HSBC but actually coming from a look-a-like or typo-squatted domain “Luke.Gray@hsbcmail.co.uk” or “Luke.Gray@business-hsbc.co.uk” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
They have also continued with changed behaviour we first saw last Tuesday by downloading .bin files instead of fake .png files.
This version is probably using Threadkit which is an office doc exploit builder using the Microsoft Equation Editor Exploits CVE-2017-11882 and CVE-2017-8570 and other office exploits instead of Macros. I understand that one of the exploits being used possibly uses an exploit in Adobe flash that when run crashes word and allows the shell code. I am informed that even if you are fully updated in Microsoft Office but flash player is outdated, this exploit still runs and will infect you. I am not 100% certain if protected view in Microsoft Office stops this but I believe it does. This is one reason to add additional security and make sure you set RTF files to display only and not allow editing of RTF files at all. That will stop this and any other currently known exploit from running.
You can now submit suspicious sites, emails and files via our Submissions system
From: HSBC <Luke.Gray@hsbcmail.co.uk> or HSBC <Luke.Gray@business-hsbc.co.uk>
Date: Tue 17/04/2018 12:32
Subject: FW: Your HSBC application documents
Thank you for applying online. We sent you application documentation for signing. Please note the Relationship Authority form will have to be signed by all of the relevant signatories.
What we need you to do
1. The documents are delivered through secure email via an attached file from HSBC. Please be aware this may be delivered to the spam folder.
2. When you open the document a message will appear saying the document requires phone verification. When you click the Send Code button, a code will be sent to your mobile phone.
3. Key that code in to the Code box on screen and select OK. You will now be able to complete the fields in the document as required.
4. Please note that the signature you upload needs to be a clear, current version of your standard signature which once added to the bank mandate can be used to authorise such account transactions as the paying away of funds.
5. Please ensure when you complete the form, that full names including any middle names are included.
6. When the final signatory has completed and signed the documents they will then be returned to me via secure email.
Account Opening Analyst | Operations Support, CDD | Customer Onboarding & Account Maintenance | CPB Services | Internal Extn Number: 23739522 | External Number: 01483739522 | Email: Luke.Gray@hsbc.co.uk | RBS | Avaya House | 2 Cathedral Hill | Guildford | Surrey | GU2 7YL
About this email
This email is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, error or virus free. The sender does not accept liability for any errors or omissions.
© HSBC Bank plc 2017. Registered Office: 8 Canada Square, London E14 5HQ. Registered in England – Number 14259.
HSBC Bank is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. In the Channel Islands, HSBC Bank plc. is regulated by the Jersey Financial Services Commission for Banking, General Insurance Mediation and Investment Business and licensed by the Guernsey Financial Services Commission for Banking, Insurance, Collective Investment Schemes and Investment Business. Licensed by the Isle of Man Financial Services Authority.
We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by email or otherwise to ask you to validate personal information such as your user ID, password, or account numbers. If you receive such a request, please call our Online security on 0345 600 2290.
HSBC has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s examples of the spoofed domains have switched from being registered via Godaddy as registrar using privacy protection services to using Tucows.com as registrar but still using privacy protection.
By the time I got round to investigating these ( less than 1 hour from arrival) there is no domain information available via whois, so it looks like Tucows respond very quickly to abusive registrations and cancel them immediately.
- hsbcmail.co.uk sending emails via 184.108.40.206 mail.vimezz.nl Naaldwijk Zuid-Holland NL AS49981 WorldStream B.V
- business-hsbc.co.uk sending emails via 220.127.116.11 dedi37575.hostsailor.com Amsterdam North Holland NL AS60117 Host Sailor Ltd and also sending emails via 18.104.22.168 host.connectionservers.com Schiedam Zuid-Holland NL AS62370 Snel.com B.V
This malware doc file downloads from http://ccmlongueuil.ca/seclogo.bin which is renamed .exe file ( VirusTotal) Gtag ser0417
The alternate Download location is http://guardtrack.uk/seclogo.bin
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.