Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersNew Trojan: Citibank Paymentech
Oriphix

523 posts

Ultimate Geek
+1 received by user: 32


#116808 10-May-2013 18:15

This is a new trojan that attacked our customer today.

Its the Citybanks website, there emails got spoofed. Apparently this isn't the only time this has happened to them

Very nasty. Got past Google Positini & MailMarshal. 

http://www.onlinethreatalerts.com/article/2013/5/8/citibank-paymentech-electronic-merchant-billing-statement-malicious-trojan-horse-email/

If you get a email in the subject saying: Merchant Statement

Please hold Shift + Delete key to get rid of it.

DO NOT OPEN IT!! 

In our case it came through as a word doc and users being users opened it.

This virus takes personal information and sends it back to the creator from what we found.

Create new topic
BlakJak
1330 posts

Uber Geek
+1 received by user: 735

Trusted

  #815421 10-May-2013 19:03
Send private message

Firstly, the word is 'Trojan'...

Secondly, clearly if you are not a Citibank customer (as the vast majority of recipients will not be), you should immediately consider the attachment suspect. (spelling the banks' name correctly is worthwhile in terms of the likelyhood of being found by search engines, etc) (By extension this has been true for every phishing scam or impersonate-an-organisation malware distribution since the idea was invented.)

Thirdly, if you havn't already, submit your sample to the AV vendor that failed to pick it up, and help draw to their attention the false negative, so that they can update their filters and ensure that their other subscribers will be subsequently protected.

Forthly, if you are going to post here every time a malware creator creates a new variation of the same idea, it'll be come a full time job. The bottom line is simple, you don't open attachments from unknown return addresses, from people you don't know or any executable you're sent and not expecting. Learning how to inspect the message headers and verify that it did infact come from where it claims to come from, is also a good skill to have.



Edit: Spelling correction.




No signature to see here, move along...



gzt

gzt
18679 posts

Uber Geek
+1 received by user: 7820

Lifetime subscriber

  #815680 11-May-2013 10:56
Send private message

Its the Citybanks website, there emails got spoofed. Apparently this isn't the only time this has happened to them

Has CityBank's website been compromised? If not then you need to think about how your advisory could be misinterpreted.

freitasm
BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #815707 11-May-2013 11:57
Send private message

Oriphix: Its the Citybanks website, there emails got spoofed. Apparently this isn't the only time this has happened to them


The Trojan obviously arrived via email, so it's not "the Citybanks (sic) website", because their website is not even involved in that malware distribution, only their name.

Spoofing a sender address is very easy. Also anyone can grab a logo image and put in an email. This doesn't make an email "official" and doesn't make a website less secure.

So rephrasing that would be "Some malware is being distributed via email, using a fake Citibank address. This is not the first time scammers use the Citibank brand and it won't be the last time. They do this with other banks as well, so I won't raise an alert if a new malware comes with Kiwibank, ANZ, BNZ or something else. Enough to say just don't open unsolicited attachments, don't open notices from banks you have no business with, don't install software from any source not approved by your IT administrators."

That does it.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



gzt

gzt
18679 posts

Uber Geek
+1 received by user: 7820

Lifetime subscriber

  #815711 11-May-2013 12:13
Send private message

Payload is a word document. Not a lot of point being concerned about what came in the window when the door is left open. From an admin perspective you want to question your patch inventory.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright