Tag Archives: HSBC

Fake HSBC payment details delivers Agent Tesla

My Online Security Posted on by  

A compromised site we saw yesterday delivering Hawkeye keylogger /Infostealer is being used today in an Agent Tesla campaign. I am not 100% positive it is the same bad actors involved but the distribution method, Sites and hosting companies  involved in sending the emails,  together with the email template style  ( the way they use the recipient’s email address in the subject line )   suggests it probably is. However whoever is actually sending these today are not making the same careless or stupid mistakes that we have been seeing recently with the hawkeye campaigns. They are using email addresses and Continue reading →

Fake HSBC “FW: Account Review” delivers Trickbot

My Online Security Posted on by  

We are back to a more complicated or involved Trickbot download campaign today with links in the email to download the XLS file instead of attachments. This malware campaign delivery method was first mentioned on 22 October 2018 when I missed the onslaught.   These do tend to have a much shorter “shelf life” or campaign duration than the more usual office file attachment version, sometimes only between a few minutes and 2 or 3 hours, but in that very short period of time hundreds if not thousands of victims can still be infected. This is because it is much easier Continue reading →

Fake HSBC “Are all above transactions recognisable to you” delivers malware

My Online Security Posted on by  

I haven’t seen Dridex banking trojan hitting the UK in absolutely ages. In fact I can’t remember when I last saw one. This is detected as Dridex by some VirusTotal detections but online sandbox analysis aren’t showing typical Dridex SSl connections, so I am not sure exactly what this is. Update: I am informed reliably that it is Gozi/ Ursnif Banking trojan An email with the subject of  “Are all above transactions recognisable to you”  pretending to come from   HSBC Protection Support but actually coming from mail@rockinghamdental.com  with a link in the email body going to https://rockinghamdental.com/main.php?YHKeGpEamn4XDDA45X%2FX58xslDwVkwOIlhvoXlCIsjs1oacGQ6f7%2Ffq5ljqjDQvnt45QJjDuum5wJUNrVDOXq5rfskJnM3a6ZYlmYvi8zZevaVtFLU8q5y5Mb%2FFv4XrwoosR0%2BY%2BzdzN6fdoJC6Mr9eo4lDT0NfeTQbMd5oNiC0Wjpvlcm2c5HNvNMOufQ7dPcFrZf8I%2FeC4Sz%2BXQpnHLOZquT4FT9FyLQas1%2BbjXo8%3D  where a file is downloaded. Transaction_Log.exe Continue reading →

Trickbot via Fake HSBC “Incoming high value CHAPS payments” emails

My Online Security Posted on by 2

This example is an email containing the subject of “Incoming high value CHAPS payments” pretending to come from HSBC but actually coming from “Olivia.Brown@hsbcemail.net” which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site,  with a malicious word doc attachment  is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan There is something different about the network connections being shown in the Anyrun report today. It looks like Trickbot might have updated with new modules  and injects. You can now submit suspicious sites, emails and files via Continue reading →

Trickbot delivered via Fake HSBC Payment Advice using activeX controls in word macros

My Online Security Posted on by  

Another pretty lame email from the Trickbot gang again today. Some days I really don’t understand this gang of criminals. They go to the bother of registering various look a like domains to send the emails from, so they might stand a better chance of fooling recipients.  They then create very effective macro enabled word docs using all sorts of tricks to avoid detection & install on the victim’s computer.  Then they go and send a stupidly lame email with no proper body content that absolutely screams this is a scam do not open me or do anything. The body Continue reading →

Fake HSBC “Important : Troubles processing BACs payment ” delivers Trickbot

My Online Security Posted on by  

This example is an email containing the subject of “I have securely shared file(s) with you” pretending to come from HSBC  but actually coming from “James.Holand@hsbcbacs.co.uk” which is a look-a-like,  typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site,  with a malicious word doc attachment  is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan You can now submit suspicious sites, emails and files via our Submissions system Email Details From: HSBC <James.Holand@hsbcbacs.co.uk> Date: Thu 26/07/2018 13:57 Subject: Important : Troubles processing BACs payment Attachment: BACs.doc Body content: Good Morning, Continue reading →

Fake HSBC Payment Advice delivers Trickbot via equation editor exploits

My Online Security Posted on by  

This example is an email containing the subject of “Payment Advice ” pretending to come from HSBC UK but actually coming from a look-a-like or typo-squatted domain “noreply@hsbc-paymentadvice.co.uk” or “noreply@hsbcpaymentadvice.co.uk” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan This version is probably using Threadkit which is an office doc exploit builder using the Microsoft Equation Editor Exploits CVE-2017-11882 and/or CVE-2017-8570 and other office exploits instead of Macros. I understand that one of the exploits being used possibly uses an exploit in Adobe flash that when run crashes word Continue reading →

Hawkeye Keylogger via Fake Pending Balance////// HSBC SWIFT COPY malspam

My Online Security Posted on by  

An email with the subject of   Pending Balance////// HSBC SWIFT COPY pretending to come from Zomosun Accountant <wgsss@sss.com.pk>   with a zip attachment  which contains Hawkeye Keylogger  ISRstealer Update: I am informed it is iSRstealer not Hawkeye keylogger They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. You can now submit suspicious sites, emails and files via our Submissions system swift message HSBC—23-04-2018.SCAN.gz.zip : Extracts to:   swift Continue reading →

Fake HSBC Your HSBC application documents delivers Trickbot via Microsoft Equation Editor Exploits

My Online Security Posted on by 2

This example is an email containing the subject of “FW: Your HSBC application documents ” pretending to come from HSBC but actually coming from a look-a-like or typo-squatted domain “Luke.Gray@hsbcmail.co.uk” or “Luke.Gray@business-hsbc.co.uk” with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan They have also continued with changed behaviour we first saw last Tuesday by downloading .bin files instead of fake .png files. This version is probably using Threadkit which is an office doc exploit builder using the Microsoft Equation Editor Exploits CVE-2017-11882 and CVE-2017-8570 and other office Continue reading →

Fake HSBC USA SWIFT Transfer (103) 37B2308302 delivers Pony- Fareit trojan

My Online Security Posted on by  

An email with the subject of  SWIFT Transfer (103) 37B2308302 pretending to come from HSBC Bank USA   with a zip attachment  which contains another version of the new pony /fareit trojan that needs user interaction before it does anything. Just running this malware on a computer does nothing initially. It sleeps until you perform some actions like opening a folder or starting a program. Then it springs into life and starts to steal all your information. This email has a .arj attachment ( a sort of zip file ) that extracts to a .exe. ARJ files don’t natively open in Continue reading →