Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


516 posts

Ultimate Geek

#116808 10-May-2013 18:15

This is a new trojan that attacked our customer today.

Its the Citybanks website, there emails got spoofed. Apparently this isn't the only time this has happened to them

Very nasty. Got past Google Positini & MailMarshal.

If you get a email in the subject saying: Merchant Statement

Please hold Shift + Delete key to get rid of it.


In our case it came through as a word doc and users being users opened it.

This virus takes personal information and sends it back to the creator from what we found.

Create new topic
794 posts

Ultimate Geek


  #815421 10-May-2013 19:03
Send private message

Firstly, the word is 'Trojan'...

Secondly, clearly if you are not a Citibank customer (as the vast majority of recipients will not be), you should immediately consider the attachment suspect. (spelling the banks' name correctly is worthwhile in terms of the likelyhood of being found by search engines, etc) (By extension this has been true for every phishing scam or impersonate-an-organisation malware distribution since the idea was invented.)

Thirdly, if you havn't already, submit your sample to the AV vendor that failed to pick it up, and help draw to their attention the false negative, so that they can update their filters and ensure that their other subscribers will be subsequently protected.

Forthly, if you are going to post here every time a malware creator creates a new variation of the same idea, it'll be come a full time job. The bottom line is simple, you don't open attachments from unknown return addresses, from people you don't know or any executable you're sent and not expecting. Learning how to inspect the message headers and verify that it did infact come from where it claims to come from, is also a good skill to have.

Edit: Spelling correction.

No signature to see here, move along...


11677 posts

Uber Geek

Lifetime subscriber

  #815680 11-May-2013 10:56
Send private message

Its the Citybanks website, there emails got spoofed. Apparently this isn't the only time this has happened to them

Has CityBank's website been compromised? If not then you need to think about how your advisory could be misinterpreted.


BDFL - Memuneh
68838 posts

Uber Geek

Lifetime subscriber

  #815707 11-May-2013 11:57
Send private message

Oriphix: Its the Citybanks website, there emails got spoofed. Apparently this isn't the only time this has happened to them

The Trojan obviously arrived via email, so it's not "the Citybanks (sic) website", because their website is not even involved in that malware distribution, only their name.

Spoofing a sender address is very easy. Also anyone can grab a logo image and put in an email. This doesn't make an email "official" and doesn't make a website less secure.

So rephrasing that would be "Some malware is being distributed via email, using a fake Citibank address. This is not the first time scammers use the Citibank brand and it won't be the last time. They do this with other banks as well, so I won't raise an alert if a new malware comes with Kiwibank, ANZ, BNZ or something else. Enough to say just don't open unsolicited attachments, don't open notices from banks you have no business with, don't install software from any source not approved by your IT administrators."

That does it.



These links are referral codes


Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


11677 posts

Uber Geek

Lifetime subscriber

  #815711 11-May-2013 12:13
Send private message

Payload is a word document. Not a lot of point being concerned about what came in the window when the door is left open. From an admin perspective you want to question your patch inventory.

Create new topic

News »

Vodafone enables 5G roaming - for when international travel comes
Posted 30-Oct-2020 15:03

Spark awards funding to Kiwi businesses in 5G funding initiative
Posted 30-Oct-2020 14:58

Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41

Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55

NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30

Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05

Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18

Synology unveils DS16211+
Posted 17-Oct-2020 20:12

Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06

Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47

OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52

Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34

Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29

AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.