Fake Chase Bank invite delivers password stealer

Jun 17, 11 Fake Chase Bank invite delivers password stealer

by David Michmerhuizen & Luis Chapetti – Security Researchers

Chase Paymentech logo

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

Chase Paymentech spam
Fake Chase Paymentech email

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Word document
Word document

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Trojan.Zeus network traffic
Trojan.Zeus network traffic

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.