You have received a new secure message from RBC Royal Bank Customer Service pretending to come from RBC Royal Bank Customer Service <firstname.lastname@example.org> is an attempt to scam you and get your bank log on details. It also is trying to infect you and is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware
This email is particularly devious, evil and crafty as it sends you to a site that at first glance you think is a phishing site ( if you are unwise enough to click any of the links in the email ). However that site also has a hidden iframe that tries to download some malware to the computer if you have a vulnerable version of Java. Then if that isn’t enough when you fill in the log in details on the page the buttons on the page appear to link to the genuine RBC bank site so hovering over the links will fool you into thinking that you are on the genuine RBC site ( see screenshot)
then the sign in button leads you to this webpage , where any of the links or the buttons download what appears to be a genuine PDF file that looks blank. That file is a malformed PDF with a script virus embedded that will infect you . This file 09.08.14report.pdf has a current VirusTotal detection rate of 5/55
These emails contain a genuine PDF file that is malformed and contains a script virus and can infect you with no action on your part by simply previewing the PDF in your browser or in the PDF reader. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit and hopefully the most recent one will be safe ( but I won’t guarantee that ) As far as I can tell they are using an exploit from 2013 that was fixed Adobe Security Bulletin and an even older one from 2010. Make sure you are using a version of Adobe reader that has been declared free from these vulnerabilities.
Please also read my previous post about this type of attack https://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details
Email looks like
You have received a secure message
This is an automated message sent by Royal Bank Secure Messaging Server.
The link above will only be active until: 09/10/2014Please click here or follow this link : https://www1.royalbank.com/cgi-bin/rbaccess/rbcgi3m01
Help is available 24 hours a day by email at email@example.com
If you have concerns about the validity of this message, please contact the sender directly. For questions about Royal Bank’s e-mail encryption service, please contact technical support at 1-800-769-2511.
First time users – will need to register before reading the Secure Message.
About Royal Bank Encryption – https://mailsafe.
© Royal Bank of Canada 2014
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened