Select Page

Cyren Security Blog

Malware Campaign in the Name of Wells Fargo

For Commtouch’s email security labs, phishing emails allegedly coming from well-known large consumer banks are a common sight. A little less common is the campaign we saw in the last 24 hours: Containing the subject line “IMPORTANT Documents – WellsFargo”, emails coming from the addresses service@wellsfargo.com or docs@wellsfargo.com did not try to phish users’ sensitive data from customers of Wells Fargo, one of the largest consumer banks in the United States – instead they served to deliver malware.

Fake wells Fargo email delivering malware

Fake wells Fargo email delivering malware

The wave started yesterday morning, July 15, 2013, at approximately 9 a.m. Eastern Time (1 p.m. GMT). Since the campaign’s start, it has been responsible for 80 percent of all virus outbreaks detected by Commtouch. The emails contained an attachment, consisting of a Zip folder which contained a file disguised as a PDF but which actually was an executable (.exe) which when clicked on is activated on Windows systems and installs a member of the Tepfer family of trojans. The malware embeds itself in the system, starts automatically and is capable of downloading additional malware on the user’s computer. One of the peculiarities of Tepfer is that it contains a list of popular passwords which it tests against various accounts on the target system, targeting particularly email accounts and FTP accounts. More than 50 percent of the emails came from US IP addresses, another five percent from Candian ones, other top sources of the campaign were the United Kingdom and Germany.

Other malware campaigns

Another malware campaign observed in the past 24 hours came in the name of another major US bank, the Bank of America. The emails had the subject line „Merchant Statement“ and the sender “Bank of America” noreply@bankofamerica.com. The attachment was alleged to contain a bank statement and also contained a trojan. A third wave came with the subject line “BACS ADDACS Advice Report”, allegedly sent by the British financial service provider BACS. These emails also delivered a Tepfer variant.

Commtouch’s virus outbreak detection services monitor such campaigns in real-time and detect these virus ouitbreaks usually within seconds of their first appearance. Commtouch’s partners and their customer are therefore protected almost right from the start of a malware campaign.

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...