Message looks genuine, many users could fall for the trick

Oct 31, 2014 16:51 GMT  ·  By

Emails claiming to come from Bitstamp exchange service inform users that the trader of digital currency modified the bank account information, pointing to an attached file for more details.

The message is carefully crafted and could fool even the more suspicious users of the service.

Message shows powerful social engineering skills

With the sender’s address spoofed so that the message appears to have been sent automatically through the notification service of Bitstamp, and a signature from the CEO of the exchange, Nejc Kodric, users would have a tough time spotting the deceit.

Even the email body is constructed to remove suspicions, showing that skillful social engineers are behind the campaign.

Apart from a short note informing that the bank details have been changed and pointing to the attachment for further details, the message lets customers know that the old bank account is still valid and accepts transfers.

To make it all look legitimate, the email contains reference to SEPA transfers, reminding the recipient that they regularly take up to three business days to complete.

Researchers at ThreatTrack caught the email sample and determined after analysis that the attachment delivered the Upatre malware downloader, which adds the Dyre banking Trojan to the system.

The banking Trojan is popular among cybercriminals

Also known as Dyreza, the malware has been leveraged in multiple malware campaigns lately and it has been adding new targets in the configuration file, including websites for banks and log-in pages for Bitcoin exchange services, Bitstamp too.

In a recent discovery, researchers at security consulting firm CSIS in Denmark saw it add websites for banks in Switzerland.

They noticed that the cybercrooks relied on a vulnerability in Windows that has been employed by the Russian group Sandworm in a recent cyber-espionage operation.

In the current spam campaign, the crooks are not too sophisticated and simply use an SCR executable file disguised with the name “bank details” to deploy the malware dropper that funnels in the banking Trojan.

Spotting the malicious intent

It is unclear if this attack has been deployed specifically to compromise the systems of Bitstamp users, but judging by the way the message is constructed, it would appear so.

Users are generally advised to look for clues that would reveal the scam attempt, but in this case, these do not seem to pop out.

However, one way to realize the deceit is to look at the attached document, which, first of all, is archived, a method that is not used by legitimate businesses in the communication with their customers.

Another hint would be the fact that the extracted file does not have the extension of a regular document. More experienced users should quickly spot the risk of opening an SCR file, which is an executable associated with screensaver applications.